Forum Moderators: phranque
Excessive Outbound Traffic 6.66.#*$!xIP
Existing Details: Your server was detected while sending a large amount of outhound traffic that reached 60.8 Kpps. Upon investigation the the following malicious process were found running:
PROCESSES
10277 apache 25 0 2400 1236 524 S 0.0 0.0 0:00 2 perl
10280 apache 25 0 156 124 120 T 0.0 0.0 0:00 3 f3
10281 apache 25 0 0 0 0 Z 0.0 0.0 0:00 3 f3 <defunct>
10293 apache 15 0 2400 1272 524 S 0.0 0.0 0:00 2 perl
10296 apache 25 0 152 124 120 T 0.0 0.0 0:00 3 f3
10297 apache 25 0 0 0 0 Z 0.0 0.0 0:00 3 f3 <defunct>
24190 apache 16 0 9704 4680 1012 S 0.0 0.2 0:00 3 httpd
24225 apache 17 0 0 0 0 Z 0.0 0.0 0:00 1 sh <defunct>
26712 apache 25 0 2400 1548 524 S 0.0 0.0 0:00 2 perl
26715 apache 15 0 3284 3284 636 S 0.0 0.1 2:35 3 perl
26792 apache 25 0 2520 2520 736 S 0.0 0.1 19:41 0 perl
LOCAITON
/tmp
bnc.perl
f3
mass
mata.txt
mata.txt.1
mata.txt.2
mata.txt.3
mata.txt.4
mata.txt.5
mata.txt.6
mata.txt.7
mata.txt.8
mata.txt.9
sem.perl
The processes listed have been stopped. Please investigate the issue and update us as soon as possible.
The only thing I see in there is "mass" -- maybe "mass-mailer?" If that's what it means, then perhaps your server has been compromised and is being used to send mass emails (spam).
They also say "Please update." Do you have old versions of PHP, forum, or e-mail scripts installed on this machine? If so, you may need to upgrade them to get the latest security patches.
Do any of those filenames mean anything to you? What is in those files when you open them with a text editor?
That's the best I can do with what's posted here.
Jim
As we speak, malicious processes are running by intruders that have gained unauthorized access to your system from exploited holes in outdated PHP scripts on your server:
apache 10280 0.0 0.0 1368 124? T Jan29 0:00 ./f3
apache 10281 0.0 0.0 0 0? Z Jan29 0:00 [f3 <defunct>]
apache 10296 0.0 0.0 1360 124? T Jan29 0:00 ./f3 201.13.43.31 1 500
apache 10297 0.0 0.0 0 0? Z Jan29 0:00 [f3 <defunct>]
apache 17669 87.0 0.1 7176 2828? R Feb04 1635:42 /usr/local/apache/bin/httpd -DSSL
Please ensure to audit your system for all web-application installations, like PHP, for outdated versions and update to their latest versions or remove if needed. This script that can automate searching for vulnerable phpBB installations:
[cplicensing.net...]
You can also install mod_security for apache to mitigate these attacks at apache:
[modsecurity.org...]
[eth0.us...]
This link gives direction on how to use mod_security:
[support.THEHOST.com...]
Please provide an update as soon as possible. Thank you.
However, I believe f3 is a name for one tool I know of that is used in Denial of Service attacks. This would tend to go along with your host saying that a large amount of data was outgoing. bnc.perl is also a fairly well-known bad-boy application. You can google it and find the source code if you read Portuguese.
You may need to hire someone to clean up your scripts so that they're not exploitable. :-(
JK
