LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Very strange activity - EXE running as apache?? (http://www.linuxquestions.org/questions/linux-security-4/very-strange-activity-exe-running-as-apache-226043/)

lucastic 09-03-2004 03:29 AM

Very strange activity - EXE command running as user apache??
 
Hello,

Mini server-
Redhat 9
Apache 2.0.40

About an hour or so ago I was checking my CPU and average loads etc, via MRTG when I noticed my CPU had shot up to 90% in the last hour or two. Normally it sits at about 4%

I could hear it working away hard. So I had a look at the 'top' output and noticed something running I had not seen before.

8616 apache 25 0 488 488 412 R 99.8 0.0 0:07 0 exe


The pid kept changing every couple of minutes too.

So then I did lsof -i and got the following

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
snmpd 1536 root 8u IPv4 1667 TCP *:smux (LISTEN)
snmpd 1536 root 9u IPv4 1712 UDP *:snmp
sshd 1545 root 3u IPv4 1677 TCP *:ssh (LISTEN)
xinetd 1559 root 5u IPv4 1707 TCP *:pop3 (LISTEN)
xinetd 1559 root 8u IPv4 1710 UDP *:887
mysqld 1601 mysql 3u IPv4 1793 TCP *:mysql (LISTEN)
master 1673 root 11u IPv4 1837 TCP *:smtp (LISTEN)
vsftpd 2042 root 3u IPv4 4343 TCP *:ftp (LISTEN)
exe 8649 apache 3u IPv4 1943 TCP *:http (LISTEN)
exe 8649 apache 17u IPv4 4814 TCP me.mydomain.com:32772->219.114.105.188:auth (ESTABLISHED)

The weird thing is there are normally instances of httpd running and listening on *:http and, again, I have never seen this exe program running before, and for about ten minutes that I was watching it was constantly connected to the ip address above

I killed httpd with /etc/init.d/httpd stop but exe kept running and was still 'connection established' with 219.114.105.188 on port 113


I searched through my server for an exe command but could find nothing?

I stopped the internet connection killed the pid associated with exe and for about an hour now it has not returned and apache is running as normal...

Anyone got any idea where I can look for more clues as to what this could have been. I have snort running and it did not detect anything unusual, none of my logs, at first sight seem to be unusual??

Quite perplexed by this one, and a bit hesitant to leave apache on without knowing what caused this strange problem.

Anyone had a similar experience?

Thanks

Lucas

mindspin 09-03-2004 04:54 AM

I checked the IP adress @ http://arul.telenet-systems.com/track.html
And i found that it was some japanese network which has connected to you pc. Configged your firewall correct?

Maybe you got some kind of hack software on your pc?

Quote:

Extra Technical Information

inetnum: 219.96.0.0 - 219.127.255.255
netname: JPNIC-NET-JP
descr: Japan Network Information Center
country: JP
admin-c: JNIC1-AP
tech-c: JNIC1-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-JPNIC
changed: hostmaster@apnic.net 20020307
status: ALLOCATED PORTABLE
source: APNIC

role: Japan Network Information Center
address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address: Chiyoda-ku, Tokyo 101-0047, Japan
country: JP
phone: +81-3-5297-2311
fax-no: +81-3-5297-2312
e-mail: hostmaster@nic.ad.jp
admin-c: SS13-AP
tech-c: SY7-AP
nic-hdl: JNIC1-AP
mnt-by: MAINT-JPNIC
changed: apnic-ftp@nic.ad.jp 19990629
changed: ip-staff@nic.ad.jp 20030806
source: APNIC

inetnum: 219.114.105.184 - 219.114.105.191
netname: JMI-NET
descr: JAPAN MEAT INFORMATION SERVICE CENTER
country: JP
admin-c: NK3367JP
tech-c: NK3367JP
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to
remarks: Japanese output, use the /e switch for English output)
changed: apnic-ftp@nic.ad.jp 20021001
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to
remarks: Japanese output, use the /e switch for English output)
changed: apnic-ftp@nic.ad.jp 20040901
source: JPNIC

lucastic 09-03-2004 05:01 AM

I do not use a deny all type firewall, so maybe no it is not setup correctly for this problem?


All times are GMT -5. The time now is 01:11 AM.