[nmglug] unknown processes, sh -i

Pi pi at pihost.us
Thu Feb 8 11:37:23 PST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason Schaefer wrote:
> This process has started twice in the last month. It takes 100% of my
> cpu and netstat shows its connected to a hosting company in Italy
> (serverdedicati.seflow.net). Apache has nothing in the logs regarding
> this! Has anyone else seen this sh -i? Anything I might be missing?
> 
> This is what netstat -patn shows

d00d j00 b33n h4x0r3d.

Run chkrootkit, rkhunter, upgrade your apache, upgrade your webapps (anything
PHP- or perl-based, AWStats, etc), look in /tmp for anything funky, look
anywhere www-data can write for the same, make sure nothing's been overwritten.
Also, if you're writing your own CGI or PHP, start throwing backticks, pipes,
quotes, dollar signs, and backslashes at anything resembling an input field.
It'll look like you're a cartoon swearing, but might reveal issues.

:
> tcp        0      0 10.2.2.2:37924          213.92.118.223:49153
> ESTABLISHED12780/sh -i
> tcp        0      0 10.2.2.2:37923          213.92.118.223:49153
> ESTABLISHED12761/sh -i
> tcp        0      0 10.2.2.2:37906          213.92.118.223:49153
> ESTABLISHED13122/sh -i
> tcp        0      1 10.2.2.2:33807          213.92.118.223:49153
> SYN_SENT   13449/sh -i
> 
> This is what ps aux |grep www-data shows:
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
> www-data 19198  0.0  0.2  24120  1784 ?        SN   Feb04   0:00
> /usr/sbin/apache2 -k start -DSSL
> www-data 19199  0.0  0.2  24120  2028 ?        SN   Feb04   0:00
> /usr/sbin/apache2 -k start -DSSL
> www-data 19200  0.0  0.2  24204  1796 ?        SN   Feb04   0:00
> /usr/sbin/apache2 -k start -DSSL
> www-data 19201  0.0  0.2  24232  1792 ?        SN   Feb04   0:00
> /usr/sbin/apache2 -k start -DSSL
> www-data 19202  0.0  0.2  24228  1776 ?        SN   Feb04   0:00
> /usr/sbin/apache2 -k start -DSSL
> www-data 23276  0.0  0.2  24120  2188 ?        SN   Feb04   0:00
> /usr/sbin/apache2 -k start -DSSL
> www-data 26063  0.0  0.2  24236  1768 ?        SN   Feb04   0:00
> /usr/sbin/apache2 -k start -DSSL
> www-data 12761  8.9  0.2   4820  2320 ?        RN   Feb05 218:42 sh -i
> www-data 12780 27.1  0.2   4824  2312 ?        RN   Feb05 659:30 sh -i
> www-data 13122 26.4  0.2   4828  2320 ?        RN   Feb05 642:09 sh -i
> www-data 13449 18.9  0.2   4828  2308 ?        SN   Feb05 457:57 sh -i
> 
> 
> This is what top shows:
> 13122 www-data  35  10  4828 2320  972 R 10.7  0.3 642:12.92 perl
> 12761 www-data  35  10  4820 2320  976 R  9.7  0.3 218:45.64 perl
> 12780 www-data  35  10  4824 2312  976 R  9.4  0.3 659:33.24 perl
> 
> 
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFy3vyKaiGM/xGKzQRAgieAKCuEJ1MnWnY7ttXlVcPMVZNUJmbbwCgv5wL
3Gmx0QVWMQpgqKJaXihSf88=
=lKwC
-----END PGP SIGNATURE-----

More information about the nmglug mailing list