Welcome to WebmasterWorld Guest from 54.147.165.246

Forum Moderators: bakedjake

Message Too Old, No Replies

Locate a malicious apache script /process - need help!

a script on my server is compramised and i need to find out which one it is

     

digitsix

8:44 am on Feb 16, 2009 (gmt 0)

10+ Year Member



So my bandwidth for my server just got throttled the other day because my server started using extreme bandwidth all of the sudden. I noticed some strange netstat connections and tied it with two perl processes that were being parented by httpd processes. I have no idea how to "trace" the process to figure out the path to the script that is being run to cause me these problems. Is there a way to do this? I searched the net for a solution but havent found one.

phranque

9:27 am on Feb 16, 2009 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



on netbsd, "ps -aux" will do that for me.
you might need root permissions to see the web server processes.

digitsix

4:49 pm on Feb 16, 2009 (gmt 0)

10+ Year Member



ps only lists the process name "httpd" (or something like that). I need to find out the path and name of the script that httpd process forked and is running.

so say the process httpd has been running for 200 minutes and is using 70% cpu all i can see is something like this:

daemon 64343 0.2 1.5 90632 15952 ? S 10:24AM 0:02.51 /usr/local/apache/bin/httpd -k start

I need a way to take pid 64343 and get information on what files its running or working with so that I can track down the problem.

Currently the only thing I know to do would be to cross ref my httpd access logs with the timestamp of the start date and time of the process but my logs are purged every four hours by the statistics engine so unless i catch the process within the four hour window i have there is no log to reference. :(

jeffatrackaid

4:03 pm on Feb 19, 2009 (gmt 0)

5+ Year Member



Try using lsof.
man lsof

prhost

10:02 pm on Feb 22, 2009 (gmt 0)

10+ Year Member



Keep an eye on 'top'

eeek

11:22 pm on Mar 24, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



logs are purged every four hours by the statistics engine

Have you considered disabling that until you find the problem?