LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   weird processes (https://www.linuxquestions.org/questions/linux-security-4/weird-processes-302868/)

robca 03-17-2005 03:06 PM
weird processes
 
When i do a ps aux on my Fedora webserver i get in that list the following:

apache 15535 0.0 0.0 1464 316 ? S 21:30 0:00 ./7474
apache 15594 0.0 0.0 1464 340 ? S 21:30 0:00 ./7474
apache 15595 0.0 0.1 2544 1124 ttyp0 S 21:30 0:00 sh -i


but i can not find out what the ./7474 process is, i don't find any file named like that, how can i find this?

Capt_Caveman 03-17-2005 09:28 PM
The ps output indicates that the user apache is running the executable named 7474 as well as an interactive shell. Both are not normal behaviour for Apache and in fact are highly suggestive that your system has been compromised.

You can try tracking down the location of the 7474 file using 'find / | grep 7474' or alternatively look up the process info in /proc/<PID>/cmdline where PID is the process id number from the ps output (in this case /proc/15535/cmdline). Once you identify the location of the file, look around that directory for any other suspicious files or folders. Check out your logs (especially the Apache logs in /var/log/httpd/) and the system logs in /var/log/messages and /var/log/secure for any abnormal log messages. I would highly recommend downloading and running chkrootkit and/or rootkithunter on the system as well. Post anything that looks remotely relevant

Before doing anything though, make a note of all processes running on the system and any network connections (use netstat -pantu) .

robca 03-18-2005 02:36 AM
Here the output of chrootkit:
Code:
[root@gandalf chkrootkit-0.45]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... /proc/19488/fd: No such file or directory
eth0: not promisc and no PF_PACKET sockets
eth0:1: not promisc and no PF_PACKET sockets
eth0:2: not promisc and no PF_PACKET sockets
eth0:3: not promisc and no PF_PACKET sockets
eth0:4: not promisc and no PF_PACKET sockets
eth0:5: not promisc and no PF_PACKET sockets
eth1: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root        2365 tty5  /sbin/mingetty tty5
! root        2369 tty6  /sbin/mingetty tty6
! apache      18765 ttyp0  sh -i
! apache      20273 ttyp1  sh -i
chkutmp: nothing deleted
the netstat -pantu output:
Code:
[root@gandalf chkrootkit-0.45]# netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 0.0.0.0:32768          0.0.0.0:*              LISTEN      1375/rpc.statd
tcp        0      0 0.0.0.0:993            0.0.0.0:*              LISTEN      1652/couriertcpd
tcp        0      0 82.138.76.6:51234      0.0.0.0:*              LISTEN      6621/server_linux
tcp        0      0 0.0.0.0:995            0.0.0.0:*              LISTEN      1673/couriertcpd
tcp        0      0 127.0.0.1:8005          0.0.0.0:*              LISTEN      1146/java
tcp        0      0 0.0.0.0:10022          0.0.0.0:*              LISTEN      12605/sshd
tcp        0      0 82.138.76.6:14534      0.0.0.0:*              LISTEN      6621/server_linux
tcp        0      0 82.138.76.17:27015      0.0.0.0:*              LISTEN      6819/srcds_i686
tcp        0      0 0.0.0.0:8009            0.0.0.0:*              LISTEN      1146/java
tcp        0      0 0.0.0.0:3306            0.0.0.0:*              LISTEN      1614/mysqld
tcp        0      0 0.0.0.0:106            0.0.0.0:*              LISTEN      1561/xinetd
tcp        0      0 0.0.0.0:110            0.0.0.0:*              LISTEN      1662/couriertcpd
tcp        0      0 127.0.0.1:783          0.0.0.0:*              LISTEN      24835/spamd -d -c -
tcp        0      0 0.0.0.0:143            0.0.0.0:*              LISTEN      1640/couriertcpd
tcp        0      0 0.0.0.0:111            0.0.0.0:*              LISTEN      1356/portmap
tcp        0      0 0.0.0.0:9008            0.0.0.0:*              LISTEN      1146/java
tcp        0      0 0.0.0.0:8080            0.0.0.0:*              LISTEN      1146/java
tcp        0      0 0.0.0.0:80              0.0.0.0:*              LISTEN      370/httpd
tcp        0      0 0.0.0.0:465            0.0.0.0:*              LISTEN      1561/xinetd
tcp        0      0 0.0.0.0:7474            0.0.0.0:*              LISTEN      18755/7474
tcp        0      0 0.0.0.0:21              0.0.0.0:*              LISTEN      1561/xinetd
tcp        0      0 192.168.1.1:53          0.0.0.0:*              LISTEN      1534/named
tcp        0      0 82.138.76.6:53          0.0.0.0:*              LISTEN      1534/named
tcp        0      0 82.138.76.3:53          0.0.0.0:*              LISTEN      1534/named
tcp        0      0 82.138.76.5:53          0.0.0.0:*              LISTEN      1534/named
tcp        0      0 82.138.76.17:53        0.0.0.0:*              LISTEN      1534/named
tcp        0      0 82.138.76.4:53          0.0.0.0:*              LISTEN      1534/named
tcp        0      0 82.138.76.2:53          0.0.0.0:*              LISTEN      1534/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*              LISTEN      1534/named
tcp        0      0 127.0.0.1:631          0.0.0.0:*              LISTEN      6909/cupsd
tcp        0      0 0.0.0.0:9080            0.0.0.0:*              LISTEN      1146/java
tcp        0      0 0.0.0.0:25              0.0.0.0:*              LISTEN      1561/xinetd
tcp        0      0 127.0.0.1:953          0.0.0.0:*              LISTEN      1534/named
tcp        0      0 0.0.0.0:443            0.0.0.0:*              LISTEN      370/httpd
tcp        0      0 0.0.0.0:8443            0.0.0.0:*              LISTEN      7204/httpsd
tcp        0      0 82.138.76.5:80          66.196.91.70:37120      TIME_WAIT  -
tcp        0      0 82.138.76.5:80          66.196.90.205:40012    TIME_WAIT  -
tcp        0      0 82.138.76.2:80          213.84.124.178:42114    TIME_WAIT  -
tcp        0      0 82.138.76.4:110        81.245.226.52:1711      TIME_WAIT  -
tcp        0      0 82.138.76.4:80          80.127.66.208:43652    TIME_WAIT  -
tcp        0      0 82.138.76.4:80          80.127.66.208:43653    TIME_WAIT  -
tcp        0      0 82.138.76.4:80          80.127.66.208:43654    TIME_WAIT  -
tcp        0      0 82.138.76.4:9008        82.138.76.4:35957      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:80          80.127.66.208:43655    TIME_WAIT  -
tcp        0      0 82.138.76.4:9008        82.138.76.4:35956      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:110        81.164.150.200:2714    TIME_WAIT  -
tcp        0      0 82.138.76.4:9008        82.138.76.4:52643      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52642      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52641      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52640      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52647      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52646      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52645      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52644      ESTABLISHED 1146/java
tcp        0      0 82.138.76.2:7474        81.181.124.34:1205      ESTABLISHED 20272/7474
tcp        0      0 82.138.76.4:9008        82.138.76.4:52650      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52649      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52648      ESTABLISHED 1146/java
tcp        0      0 82.138.76.2:7474        81.181.124.34:1188      ESTABLISHED 18764/7474
tcp        0      0 82.138.76.4:9008        82.138.76.4:52635      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52639      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:35957      82.138.76.4:9008        ESTABLISHED 18755/7474
tcp        0      0 82.138.76.4:35956      82.138.76.4:9008        ESTABLISHED 18755/7474
tcp        0      0 82.138.76.4:9008        82.138.76.4:52638      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52637      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52636      ESTABLISHED 1146/java
tcp        0      0 127.0.0.1:52864        127.0.0.1:783          TIME_WAIT  -
tcp        0      0 127.0.0.1:52870        127.0.0.1:783          TIME_WAIT  -
tcp        0      0 127.0.0.1:52872        127.0.0.1:783          TIME_WAIT  -
tcp        0      0 127.0.0.1:52862        127.0.0.1:783          TIME_WAIT  -
tcp        0      0 82.138.76.4:9008        82.138.76.4:52711      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52710      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52713      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:9008        82.138.76.4:52712      ESTABLISHED 1146/java
tcp        0      0 82.138.76.4:52712      82.138.76.4:9008        ESTABLISHED 28488/httpd
tcp        0      0 82.138.76.4:52713      82.138.76.4:9008        ESTABLISHED 28489/httpd
tcp        0      0 82.138.76.4:52710      82.138.76.4:9008        ESTABLISHED 28488/httpd
tcp        0      0 82.138.76.4:52711      82.138.76.4:9008        ESTABLISHED 28489/httpd
tcp        0      0 82.138.76.4:52638      82.138.76.4:9008        ESTABLISHED 27873/httpd
tcp        0      0 82.138.76.4:52639      82.138.76.4:9008        ESTABLISHED 27875/httpd
tcp        0      0 82.138.76.4:52636      82.138.76.4:9008        ESTABLISHED 27869/httpd
tcp        0      0 82.138.76.4:52637      82.138.76.4:9008        ESTABLISHED 27871/httpd
tcp        0      0 82.138.76.4:52635      82.138.76.4:9008        ESTABLISHED 27867/httpd
tcp        0      0 82.138.76.4:52650      82.138.76.4:9008        ESTABLISHED 27881/httpd
tcp        0      0 82.138.76.4:52648      82.138.76.4:9008        ESTABLISHED 27877/httpd
tcp        0      0 82.138.76.4:52649      82.138.76.4:9008        ESTABLISHED 27879/httpd
tcp        0      0 82.138.76.4:52646      82.138.76.4:9008        ESTABLISHED 27875/httpd
tcp        0      0 82.138.76.4:52647      82.138.76.4:9008        ESTABLISHED 27873/httpd
tcp        0      0 82.138.76.4:52644      82.138.76.4:9008        ESTABLISHED 27871/httpd
tcp        0      0 82.138.76.4:52645      82.138.76.4:9008        ESTABLISHED 27867/httpd
tcp        0      0 82.138.76.4:52642      82.138.76.4:9008        ESTABLISHED 27881/httpd
tcp        0      0 82.138.76.4:52643      82.138.76.4:9008        ESTABLISHED 27869/httpd
tcp        0      0 82.138.76.4:52640      82.138.76.4:9008        ESTABLISHED 27877/httpd
tcp        0      0 82.138.76.4:52641      82.138.76.4:9008        ESTABLISHED 27879/httpd
tcp        0      1 82.138.76.4:52878      81.245.231.158:113      SYN_SENT    30819/in.proftpd
tcp        0      0 82.138.76.4:80          195.144.131.12:35019    TIME_WAIT  -
tcp        0      0 82.138.76.2:80          133.9.68.243:50074      TIME_WAIT  -
tcp        0      0 82.138.76.4:21          81.245.231.158:1265    ESTABLISHED 30811/proftpd: fred
tcp        0      0 82.138.76.4:21          81.245.231.158:1266    ESTABLISHED 30819/in.proftpd
tcp        0  7440 82.138.76.2:10022      81.164.133.6:61824      ESTABLISHED 19986/sshd: robin [
tcp        0      0 82.138.76.2:80          133.9.68.243:50125      TIME_WAIT  -
tcp        0      1 82.138.76.2:52863      63.95.15.16:25          SYN_SENT    30500/qmail-remote
tcp        0      0 82.138.76.4:25          195.238.3.52:41323      TIME_WAIT  -
tcp        0      0 82.138.76.2:80          133.9.68.243:50169      TIME_WAIT  -
tcp        0      0 82.138.76.2:10022      81.164.133.6:61806      ESTABLISHED 19929/sshd: robin [
tcp        0      0 82.138.76.2:80          133.9.68.243:50216      TIME_WAIT  -
tcp        0      1 82.138.76.2:52873      202.108.255.210:25      SYN_SENT    30604/qmail-remote
tcp        0      0 82.138.76.2:110        80.200.247.24:1807      TIME_WAIT  -
tcp        0      0 82.138.76.2:80          133.9.68.243:50027      TIME_WAIT  -
tcp        0      0 82.138.76.2:110        80.200.247.24:1808      TIME_WAIT  -
udp        0      0 0.0.0.0:32768          0.0.0.0:*                          1375/rpc.statd
udp        0      0 0.0.0.0:32769          0.0.0.0:*                          1534/named
udp        0      0 82.138.76.17:27015      0.0.0.0:*                          6819/srcds_i686
udp        0      0 82.138.76.6:27015      0.0.0.0:*                          6478/hlds_i686
udp        0      0 82.138.76.17:27020      0.0.0.0:*                          6819/srcds_i686
udp        0      0 192.168.1.1:53          0.0.0.0:*                          1534/named
udp        0      0 82.138.76.6:53          0.0.0.0:*                          1534/named
udp        0      0 82.138.76.3:53          0.0.0.0:*                          1534/named
udp        0      0 82.138.76.5:53          0.0.0.0:*                          1534/named
udp        0      0 82.138.76.17:53        0.0.0.0:*                          1534/named
udp        0      0 82.138.76.4:53          0.0.0.0:*                          1534/named
udp        0      0 82.138.76.2:53          0.0.0.0:*                          1534/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                          1534/named
udp        0      0 0.0.0.0:703            0.0.0.0:*                          1375/rpc.statd
udp        0      0 82.138.76.6:8768        0.0.0.0:*                          6621/server_linux
udp        0      0 127.0.0.1:32865        127.0.0.1:32865        ESTABLISHED 2048/postmaster
udp        0      0 0.0.0.0:32876          0.0.0.0:*                          2243/perl
udp        0      0 0.0.0.0:111            0.0.0.0:*                          1356/portmap
udp        0      0 0.0.0.0:631            0.0.0.0:*                          6909/cupsd
udp        0      0 82.138.76.17:27005      0.0.0.0:*                          6819/srcds_i686

Capt_Caveman 03-18-2005 01:04 PM
The chkrootkit output shows that it found a bindshell which is usually a backdoor. The fact that it's running on a priveledged port (465) isn't a good sign either.

The netstat output shows a lot of different services running. The primary question is whether you think they should be? Go through the list and try to identify any that look abnormal to you. I don't know what you are using the box for or what applications you're running, so I can't really tell you. However, there are several that look fairly suspicious. For example we see the 7474 program appears again listening on port 7474. The java processes look suspicious as well (both 7474 and httpd have established local connections to port 9008).

Any luck identifying the location of the 7474 executable? Find anything else in the logs?

Once you get a good suspicion that it's been compromised immediately disconnect it from the network and then proceed with any further forensic analysis.

robca 03-18-2005 01:21 PM
I found the 7474 file in /var/tmp and deleted that, after that i found a shoutcast in the samedir which do not belong there, and in that logfile i found a url/ip/and irc channel after mailing the persons in about 5 minutes everything went ok.

I searched in the logfiles and found phpBB 2.0.6 on one of my clients webspace was the problem and through phpbb they started everything, so i have updated phpbb and no suspicious things anymore!

the port 465 is from plesk en java is also for plesk so that is normal!

But thanks for the command to find the file i couldn't find with locate :p

Capt_Caveman 03-18-2005 09:52 PM
Not that surprising. Depending on what you found, my next question was going to be what kind of web content you were hosting. PHPbb has taken a real beating over the last 6 months in terms of security. In fact I've heard from multiple sources that exploits are circulating for the current release, so I'd recommend against running it unless absolutely necessary.

Cheers!


All times are GMT -5. The time now is 04:54 AM.