LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-20-2005, 02:38 PM   #1
misteryfly
LQ Newbie
 
Registered: Feb 2005
Posts: 1

Rep: Reputation: 0
An extraneous process named "fun"


Hi all there,

I don't know if this topic is correct published in this section, but I can't figure where can do it. I was looking for this but no information related could be found.

My server are running since 2001, with RH 7.1, K 2.4.18-27.7

Today i see a process named "fun" and i don't know what is it and never before:


==========================
# top

2:10pm up 69 days, 20:56, 1 user, load average: 0.95, 0.85, 0.62
76 processes: 69 sleeping, 5 running, 1 zombie, 1 stopped
CPU states: 24.1% user, 3.9% system, 0.0% nice, 71.9% idle
Mem: 126476K av, 118580K used, 7896K free, 0K shrd, 3140K buff
Swap: 1052216K av, 17980K used, 1034236K free 57672K cached

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
7244 root 16 0 1508 1508 348 R 16.2 1.1 6:10 fun

=========================
Also, I start to recive a messanges from the server (every 30 mins):

Sender: Cron deamon
Subjetc: Cron <nobody@server1> (kill -9 `/sbin/pidof .cinik`;cd /dev/shm;PATH=.:$PATH;apps) > /dev/null 2>&1

Body:

execl: couldn't exec `/bin/sh'
execl: Permission denied

I was unable to identify the cron process that generate such messages.

Any body knows what are those things ?

I really appreciate any help.

regards.

h. yamasaki
 
Old 02-20-2005, 03:04 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 18,220

Rep: Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546Reputation: 2546
Looks like a worm

You might have:
CiNIK Worm (Slapper.B variant)
http://www.trendmicro.com/vinfo/viru...PPER.B&VSect=T

The following is trying to find the pid of running process .cinik and tries to kill it.
kill -9 `/sbin/pidof .cinik`

Not sure what the fun process is all about. I would get chkrootkit and a antivirus program and run them. Then I would take a look at the firewall and processes you are running. RH 7.1 is old and may have several security vulnerabilities like openssl.

Last edited by michaelk; 02-20-2005 at 03:14 PM.
 
Old 02-20-2005, 03:20 PM   #3
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
I will point out to any Windows users here that, should this indeed prove to be a worm, it has apparently done no damage because the damage it is attempting to do is being met by the system with a "permission denied". Furthermore, the system is notifying the administrator of the problem completely on its own.

You see here the most important difference between Linux and Windows; in Windows a worm usually would be running with administrator permissions because Windows encourages users to log in as administrators. If it were running as an administrator ("root" in Unix-speak) then this worm could do whatever it wanted to do.
 
Old 02-21-2005, 02:23 PM   #4
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
And I'll point out to you that if /bin/sh existed executable on his system (like it does on pretty much every *NIX machine on earth), it would be running along with him none the wiser ...

Like I've said before -- Security is in the hands of the admin. 7.x was old a long time ago, and unless he's rolling his own patches, it's vulnerable to a *lot* of exploit code...

Edit: OP: Look at /dev/shm/apps and see what it's trying to do.

Also, the crontabs are where you want to look for this. /etc/crontab is one, and the others are stored in /var/cron/tabs/<username> (I think, I don't have a RH7 system sitting here). You should find the entry that you're getting emailed about in one of the crontabs on the system.

Last edited by sigsegv; 02-21-2005 at 02:35 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Philips "Fun Cam" webcam not working DaneM Linux - Hardware 8 02-10-2017 10:44 PM
User "list" running process "python" TroelsSmit Linux - Newbie 2 02-22-2005 04:55 AM
dns named.conf: "view" unknown option rioguia Linux - Networking 16 11-02-2004 11:04 AM
Named slave update fails: "Server is not an authority for the domain" usernamenumber Linux - Networking 0 09-29-2004 10:42 PM
bind and named and "rndc: connect failed: connection refused" coffee9876 Linux - Networking 3 12-16-2003 10:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration