weird processes
When i do a ps aux on my Fedora webserver i get in that list the following:
apache 15535 0.0 0.0 1464 316 ? S 21:30 0:00 ./7474 apache 15594 0.0 0.0 1464 340 ? S 21:30 0:00 ./7474 apache 15595 0.0 0.1 2544 1124 ttyp0 S 21:30 0:00 sh -i but i can not find out what the ./7474 process is, i don't find any file named like that, how can i find this? |
The ps output indicates that the user apache is running the executable named 7474 as well as an interactive shell. Both are not normal behaviour for Apache and in fact are highly suggestive that your system has been compromised.
You can try tracking down the location of the 7474 file using 'find / | grep 7474' or alternatively look up the process info in /proc/<PID>/cmdline where PID is the process id number from the ps output (in this case /proc/15535/cmdline). Once you identify the location of the file, look around that directory for any other suspicious files or folders. Check out your logs (especially the Apache logs in /var/log/httpd/) and the system logs in /var/log/messages and /var/log/secure for any abnormal log messages. I would highly recommend downloading and running chkrootkit and/or rootkithunter on the system as well. Post anything that looks remotely relevant Before doing anything though, make a note of all processes running on the system and any network connections (use netstat -pantu) . |
Here the output of chrootkit:
Code:
[root@gandalf chkrootkit-0.45]# ./chkrootkit Code:
[root@gandalf chkrootkit-0.45]# netstat -pantu |
The chkrootkit output shows that it found a bindshell which is usually a backdoor. The fact that it's running on a priveledged port (465) isn't a good sign either.
The netstat output shows a lot of different services running. The primary question is whether you think they should be? Go through the list and try to identify any that look abnormal to you. I don't know what you are using the box for or what applications you're running, so I can't really tell you. However, there are several that look fairly suspicious. For example we see the 7474 program appears again listening on port 7474. The java processes look suspicious as well (both 7474 and httpd have established local connections to port 9008). Any luck identifying the location of the 7474 executable? Find anything else in the logs? Once you get a good suspicion that it's been compromised immediately disconnect it from the network and then proceed with any further forensic analysis. |
I found the 7474 file in /var/tmp and deleted that, after that i found a shoutcast in the samedir which do not belong there, and in that logfile i found a url/ip/and irc channel after mailing the persons in about 5 minutes everything went ok.
I searched in the logfiles and found phpBB 2.0.6 on one of my clients webspace was the problem and through phpbb they started everything, so i have updated phpbb and no suspicious things anymore! the port 465 is from plesk en java is also for plesk so that is normal! But thanks for the command to find the file i couldn't find with locate :p |
Not that surprising. Depending on what you found, my next question was going to be what kind of web content you were hosting. PHPbb has taken a real beating over the last 6 months in terms of security. In fact I've heard from multiple sources that exploits are circulating for the current release, so I'd recommend against running it unless absolutely necessary.
Cheers! |
All times are GMT -5. The time now is 04:54 AM. |