LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-03-2004, 04:29 AM   #1
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Rep: Reputation: 30
Very strange activity - EXE command running as user apache??


Hello,

Mini server-
Redhat 9
Apache 2.0.40

About an hour or so ago I was checking my CPU and average loads etc, via MRTG when I noticed my CPU had shot up to 90% in the last hour or two. Normally it sits at about 4%

I could hear it working away hard. So I had a look at the 'top' output and noticed something running I had not seen before.

8616 apache 25 0 488 488 412 R 99.8 0.0 0:07 0 exe


The pid kept changing every couple of minutes too.

So then I did lsof -i and got the following

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
snmpd 1536 root 8u IPv4 1667 TCP *:smux (LISTEN)
snmpd 1536 root 9u IPv4 1712 UDP *:snmp
sshd 1545 root 3u IPv4 1677 TCP *:ssh (LISTEN)
xinetd 1559 root 5u IPv4 1707 TCP *op3 (LISTEN)
xinetd 1559 root 8u IPv4 1710 UDP *:887
mysqld 1601 mysql 3u IPv4 1793 TCP *:mysql (LISTEN)
master 1673 root 11u IPv4 1837 TCP *:smtp (LISTEN)
vsftpd 2042 root 3u IPv4 4343 TCP *:ftp (LISTEN)
exe 8649 apache 3u IPv4 1943 TCP *:http (LISTEN)
exe 8649 apache 17u IPv4 4814 TCP me.mydomain.com:32772->219.114.105.188:auth (ESTABLISHED)

The weird thing is there are normally instances of httpd running and listening on *:http and, again, I have never seen this exe program running before, and for about ten minutes that I was watching it was constantly connected to the ip address above

I killed httpd with /etc/init.d/httpd stop but exe kept running and was still 'connection established' with 219.114.105.188 on port 113


I searched through my server for an exe command but could find nothing?

I stopped the internet connection killed the pid associated with exe and for about an hour now it has not returned and apache is running as normal...

Anyone got any idea where I can look for more clues as to what this could have been. I have snort running and it did not detect anything unusual, none of my logs, at first sight seem to be unusual??

Quite perplexed by this one, and a bit hesitant to leave apache on without knowing what caused this strange problem.

Anyone had a similar experience?

Thanks

Lucas

Last edited by lucastic; 09-03-2004 at 04:31 AM.
 
Old 09-03-2004, 05:54 AM   #2
mindspin
LQ Newbie
 
Registered: Oct 2003
Location: NL.
Distribution: Fedora Core 2
Posts: 29

Rep: Reputation: 15
I checked the IP adress @ http://arul.telenet-systems.com/track.html
And i found that it was some japanese network which has connected to you pc. Configged your firewall correct?

Maybe you got some kind of hack software on your pc?

Quote:
Extra Technical Information

inetnum: 219.96.0.0 - 219.127.255.255
netname: JPNIC-NET-JP
descr: Japan Network Information Center
country: JP
admin-c: JNIC1-AP
tech-c: JNIC1-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-JPNIC
changed: hostmaster@apnic.net 20020307
status: ALLOCATED PORTABLE
source: APNIC

role: Japan Network Information Center
address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address: Chiyoda-ku, Tokyo 101-0047, Japan
country: JP
phone: +81-3-5297-2311
fax-no: +81-3-5297-2312
e-mail: hostmaster@nic.ad.jp
admin-c: SS13-AP
tech-c: SY7-AP
nic-hdl: JNIC1-AP
mnt-by: MAINT-JPNIC
changed: apnic-ftp@nic.ad.jp 19990629
changed: ip-staff@nic.ad.jp 20030806
source: APNIC

inetnum: 219.114.105.184 - 219.114.105.191
netname: JMI-NET
descr: JAPAN MEAT INFORMATION SERVICE CENTER
country: JP
admin-c: NK3367JP
tech-c: NK3367JP
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to
remarks: Japanese output, use the /e switch for English output)
changed: apnic-ftp@nic.ad.jp 20021001
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to
remarks: Japanese output, use the /e switch for English output)
changed: apnic-ftp@nic.ad.jp 20040901
source: JPNIC
 
Old 09-03-2004, 06:01 AM   #3
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
I do not use a deny all type firewall, so maybe no it is not setup correctly for this problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Running setup.exe, but another already running? erisco Linux - Software 2 08-08-2005 06:45 PM
very strange network/firewall activity - thoughts? cyph3r7 Linux - Security 4 10-19-2004 12:16 PM
running .exe files zeviddalop Linux - Newbie 6 10-07-2004 04:51 PM
Strange PPP activity gauge73 Linux - Networking 0 08-18-2004 07:46 PM
Strange network activity !!!!!! OneManArmy Linux - Newbie 3 07-14-2004 11:19 AM


All times are GMT -5. The time now is 07:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration