homepage Welcome to WebmasterWorld Guest from 54.211.97.242
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Locate a malicious apache script /process - need help!
a script on my server is compramised and i need to find out which one it is
digitsix

10+ Year Member



 
Msg#: 3850459 posted 8:44 am on Feb 16, 2009 (gmt 0)

So my bandwidth for my server just got throttled the other day because my server started using extreme bandwidth all of the sudden. I noticed some strange netstat connections and tied it with two perl processes that were being parented by httpd processes. I have no idea how to "trace" the process to figure out the path to the script that is being run to cause me these problems. Is there a way to do this? I searched the net for a solution but havent found one.

 

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3850459 posted 9:27 am on Feb 16, 2009 (gmt 0)

on netbsd, "ps -aux" will do that for me.
you might need root permissions to see the web server processes.

digitsix

10+ Year Member



 
Msg#: 3850459 posted 4:49 pm on Feb 16, 2009 (gmt 0)

ps only lists the process name "httpd" (or something like that). I need to find out the path and name of the script that httpd process forked and is running.

so say the process httpd has been running for 200 minutes and is using 70% cpu all i can see is something like this:

daemon 64343 0.2 1.5 90632 15952 ? S 10:24AM 0:02.51 /usr/local/apache/bin/httpd -k start

I need a way to take pid 64343 and get information on what files its running or working with so that I can track down the problem.

Currently the only thing I know to do would be to cross ref my httpd access logs with the timestamp of the start date and time of the process but my logs are purged every four hours by the statistics engine so unless i catch the process within the four hour window i have there is no log to reference. :(

jeffatrackaid

5+ Year Member



 
Msg#: 3850459 posted 4:03 pm on Feb 19, 2009 (gmt 0)

Try using lsof.
man lsof

prhost

10+ Year Member



 
Msg#: 3850459 posted 10:02 pm on Feb 22, 2009 (gmt 0)

Keep an eye on 'top'

eeek

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3850459 posted 11:22 pm on Mar 24, 2009 (gmt 0)

logs are purged every four hours by the statistics engine

Have you considered disabling that until you find the problem?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved