LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Restart a user's server, or mass-kill processes ?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-30-2013, 09:34 AM   #1
Sabinou
Member
 
Registered: Jan 2006
Location: France
Distribution: Debian Wheezy, Webmin + Virtualmin (remote dedi)
Posts: 214

Rep: Reputation: 30
Restart a user's server, or mass-kill processes ?

Hello,

Despite having a dedicated server running my websites, I'm far from being a professional, I'm coming here for a help request, if you can, please

That's a long story, because, well, honestly, I'd rather write too much than not enough.

My dedicated server runs Debian Squeeze, with, installed on top of it, Webmin + Virtualmin. Each user has a different website and a different set of files in /home/username/, each website is a different virtual account.
The server was installed and configured for me by a professional, who charged me for this, that person is already working for a few of my friends and their businesses, so I know I can trust him. I can ask him for further help on the condition that I don't ask for it often, however, as much as I can, I try to fix problems by myself, that's the best way to learn.
As for me, I'm not new to Linux and the shell, but I still have a lot to learn, haha.

OK, my problem :
- one of the user accounts got compromised (my wife uploaded an old wordpress theme with a compromised timthumb.php file, I saw the problem months later when the server became slow),
- crapware was injected (my wife's blog's theme was updated with a code injection, "control tower files" in php and perl were added to /home/username/public_html/ , to /home/username/public_html/secondary-blog/ , to /tmp/ and /dev/shm (and maybe elsewhere, but then I don't know, I scanned every subfolder of the user accounts, I know tmp and dev/shm can host user's files, but I don't know of any other location)
- I think I cleaned up everything that could be cleaned up, removing all presense or reference to the .php and .pl badware, removing every goddamn timthumb.php file, using a binary comparison tool against an old uncompromised backup to check that all my wife's blog files were legit.
- however, my server is still not back to normal, some resources aren't back to how they used to be

Some elements show a recovery once I made my cleanup, fortunately, like the CPU usage returning to normal (cf the end of the "CPU day" graph http://imgur.com/d0CEk8V , as opposed to week http://imgur.com/jXeUt1i , and month http://imgur.com/I925I9v ).

But some other elements that didn't change are :
- the number of running processes, surged from around 450-500 to now around 2200
- Some elements seen in my monitoring didn't return to normal, as in these screenshots :
http://imgur.com/e3ljl4C
http://imgur.com/CtV90xU

--> That means not everything is safe, there may be unwanted processes still running in memory, and I don't know if they'll ever stop by themselves, or, worse, if they won't reinstate harmful files on the disk
And I don't know how to get rid of these unwanted processes.

So... I'm wondering...

Do you know if it is possible to make the server for the compromised user restart, and only for that user ?
My hope is that only the legit processes would run this time, since the compromission files were deleted (hopefully !)

Otherwise, I also considered force-killing all idle processes, but
- I don't know how to do that
- I learned this wasn't wise, since several legitimate core processes lay sleeping most of the time, and killing them could compromise the website behind the user account

In virtualmin, I clicked to restart every essential system service, one by one, as in this screenshot,
http://imgur.com/fvQUiBu
But that didn't fix the problem.

Apart from that, save a whole reboot of the whole server, I don't know what I can do... And I'd rather have to reboot the whole server just because of one user account.

Please, would you have a suggestion about it ?

Sorry for the very long thread, and sorry if it sounded confused !
Greetings,
Sabinou
Last edited by Sabinou; 01-30-2013 at 09:38 AM.
 
Old 01-30-2013, 11:43 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by Sabinou View Post
That's a long story, because, well, honestly, I'd rather write too much than not enough.
...and as long as it contains the necessary facts that's definitely appreciated.


Quote:
Originally Posted by Sabinou View Post
My dedicated server runs Debian Squeeze, with, installed on top of it, Webmin + Virtualmin. Each user has a different website and a different set of files in /home/username/, each website is a different virtual account. (..) I'm not new to Linux and the shell, but I still have a lot to learn (..)
If that's the same server as in this thread then you had about a years time to learn ;-p


Quote:
Originally Posted by Sabinou View Post
one of the user accounts got compromised (..) I saw the problem months later when the server became slow
...which points to constant monitoring, timely alerting if conditions change, knowing what users run and educating users.


Quote:
Originally Posted by Sabinou View Post
crapware was injected (..) I scanned every subfolder of the user accounts, I know tmp and dev/shm can host user's files, but I don't know of any other location (..) I think I cleaned up everything that could be cleaned up, removing all presense or reference to the .php and .pl badware, removing every goddamn timthumb.php file, using a binary comparison tool against an old uncompromised backup
Well, you certainly did a lot and that's commendable. Removing that vulnerable software, including themes and plugins, helps avoid exposing the same problem again. Comparing against a known safe backup verifies files are (or not) as they were. That's good. The question is if you used any old backup to restore files. If the backup was taken before you realized the web site was compromised then those files (configuration files, database, .htaccess, plugins, themes, includes, uploaded files with wrong extensions) may contain the same or other vulnerabilities. And to make sure: even if you didn't restore from backup the site, or an adjacent one, may have other vulnerabilities and if you didn't change passwords then a per could well use the old credentials.


Quote:
Originally Posted by Sabinou View Post
(..) however, my server is still not back to normal, some resources aren't back to how they used to be (..) the number of running processes, surged from around 450-500 to now around 2200 (..) That means not everything is safe, there may be unwanted processes still running in memory, and I don't know if they'll ever stop by themselves, or, worse, if they won't reinstate harmful files on the disk (..) And I don't know how to get rid of these unwanted processes.
There's a few things you should do, order doesn't matter, doing them does. And please don't rely on your web-based panel but instead use software the system provides. Want to know about query performance? Run MySQL Top. Want to know about page requests? Run Apache Top. Want to know what processes run? Use 'ps'. Want to know what processes take up most of the resources? Use a SAR like Atop, Dstat, Collectl (or even play sar). Want to know what files a process keeps open? Use 'lsof'. Want to know about errors and anomalies in your system and daemon log files? Run Logwatch. Etc, etc. A web-based management panel helps those who have theoretical knowledge and practical experience but for those that don't it doesn't.

- List exactly what software, themes and plugins all web sites run. Check if it is up to date, not messed with and if there's no more odd uploaded files.
- There's a scanner that detects lots of malware called "Linux Malware Detect" or LMD for short. I suggest you install and run it regularly.
evidence of HTTP encoding or system command usage, uncommon requests, seemingly unrelated error output, odd user logins, etc).
- The machine runs Suhosin, OK, but does it also adhere to what this suggests: http://codex.wordpress.org/Hardening_WordPress ?
- What access is allowed? Is anonymous FTP possible? Does SSH rely on passwords instead of pubkey auth? What other services are accessible?
- Who has an account? Are there any changes? New database users?
- Run Logwatch on your system and daemon log files as it's the quickest way to generate a list of potential issues to investigate. Check the report for "odd" requests like
- List all network connections and check for outbound requests to FTP, SSH, SMTP, HTTP and IRC ports.
- List all processes in detail and check for seemingly innocuous names. For example if your web server is "/usr/sbin/httpd" then seeing "/usr/local/bin/httpd -DSSL" or "/tmp/.ICE-unix/httpd" processes are suspicious.
* Add any details you think are related. When you reply please reply in detail (preferably in [CODE]vBB code tags[/CODE]) and attach large texts to your reply.


[EDIT]
Code:
# Additionally some system commands to help gather information.
# If you get a "command not found" error then either search for it:
# ('which ps; locate ls; whereis lsof;' or install it).
# Do review output before posting  / attaching:

# Save your iptables rule set:
iptables-save > /tmp/iptables.txt

# Save process list. Backslash to stop alias args:
\ps axfwww -opid,ppid,gid,uid,args > /tmp/ps.txt

# Open files:
lsof -Pwln > /tmp/openfiles.txt 2>&1

# Example: show all processes with "http" in the name
\ps --noheader  -o ppid,pid,uid,args -C http
# the same using 'lsof':
pgrep -f http|xargs -iX \lsof -Pwlnp 'X'

# List network connections:
\netstat -anTpe > /tmp/net.txt

# Example: grep list for outbound connections (might be quite a log on a web server):
grep -e "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}:[20-8123].*EST" /tmp/net.txt

# Local user accounts:
( cat /etc/passwd; \lastlog; \last -wai; \who -a ) > /tmp/users.txt 2>&1

# Installed software:
dpkg --get-selections > /tmp/users.txt

# Logwatch: 
logwatch --detail High --service All --range All --archives --numeric --save /tmp/logwatch.txt

# Find out WP version (if not deliberately obfuscated) remotely:
links -dump http://www.website.name/|grep generator

# Find out WP version locally:
grep -r /docroot/website.name/ -ie "\.css\?ver="
[/EDIT]
Last edited by unSpawn; 01-30-2013 at 04:44 PM. Reason: //Added some command examples
 
Old 01-30-2013, 12:38 PM   #3
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] kill all idle user processes jasonws Linux - General 3 02-19-2015 04:45 AM
Safe to kill all user: 'nobody' processes? lagu2653 Linux - Security 4 11-06-2005 06:28 PM
how to use kill to kill a batch of processes with same name? dr_zayus69 Linux - Software 2 09-03-2005 06:35 PM
How can I kill all processes form a certain user ? Menestrel Linux - Newbie 6 07-05-2005 09:53 AM
Normal User to restart syslog server lier74ok Linux - Security 2 05-12-2005 12:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:46 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration