Perl eating CPU Time - what is "/httpds/sshd/"
Hi All,
Since few weeks my server slooooow down sometimes and when I log me in via SSH I can see that the perl process eating CPU time. The only one solution is too kill those processes one after another (because it resurrect ;) ) I see that this process has been started by Apache so I'm afraid that it could be hack attempt. Code:
# top Code:
#ps aux | grep 13599 I use ssh and sftp instantly. I have already disabled the apache perl module. The OS is: Fedora Core 5 2.6.20-1.2320.fc5 Apache: 2.2.2 PHP: 5.1.6 Any help is very appreciated :-) Best Regards, Neo |
perl doesn't run like that unless a user most likely runs a script, etc. Sounds to me like you possibly got hacked. I'd say you may want to unplug this machine from the network to do a full investigation. Unless you have something with apache that kicks off a perl script/program, etc.
|
The problem is I cannot unplug this machine because this is leased root server :confused:
I saw that webmin starts also some perl processes but they not causing this problem I think. How can I found who starts this processes and what is "/httpds/sshd/" I'm trying to be very carefully with this server. No root access, complicated password, I check regularly the logfiles but I didn't saw something suspect :( |
Leased root server? I'd suggest asking the people you lease it from then. But seriously, if there are processes you don't know about or how they start and you are in full control of this server, better start asking questions to your provider.
httpds/sshd sounds to me like some type of web enabled ssh program I would guess. That's why I'd suggest asking the lease provider. Most likely this server of yours could just be a virtual server and they might have programs running to monitor, applications you may not want running, etc. |
I cannot ask my provider because this is a root server. So this mean I have a physical server in theirs server room. But this is my server, it's not virtual. So this mean that they does not installed any programs there and only support is for hardware or networks connection.
Regards, Neo |
It seems to be hack attempt. I saw this in my general apache error logfile:
Code:
|
Well, I would start by renaming perl to perl2 and killing the processes. (Temporary.)
Then, put in hosts entries for the IRC servers it uses, so it can't communicate out. It has a list of ports it scans, I would also AFP block any of those which aren't in use legitimately. A lot of it is in Spanish, so it's unclear. Now, I would look for how it got there in the first place. Uploaded by user? That part I've shaky on. |
All times are GMT -5. The time now is 05:28 AM. |