apache cgi exploit?
Hi,
I always see this script running:
apache 76533 85.4 0.3 3784 3152 ?? R 3:56AM 277:47.22 /usr/local/firewall (perl)
# ls -aul /usr/local/firewall
ls: /usr/local/firewall: No such file or directory
it seems like a perl script, i have like 100 of users, how do i find out
which exactly user or dir path is this script running from?
some weird files in /tmp
# ls -aul /tmp
total 1
drwxrwxrwt 3 root wheel 1536 Dec 27 09:26 .
drwxr-xr-x 20 root wheel 512 Dec 27 03:01 ..
-rw-rw-rw- 1 root wheel 4 Dec 23 15:22 .27400.1b8140
drwxrwxrwt 2 root wheel 512 Dec 27 03:01 .X11-unix
-rw-r--r-- 1 apache wheel 0 Dec 24 00:47 .warez
-rw-r--r-- 1 apache wheel 0 Dec 6 07:09 .wonderland
-rw-rw---- 1 majordomo wheel 534 Dec 4 04:40 majordomo.debug
srwxrwxrwx 1 mysql wheel 0 Dec 24 23:11 mysql.sock
-rw-r--r-- 1 apache wheel 47 Dec 23 02:06 phpbb2_Q
-rw-r--r-- 1 apache wheel 47 Dec 10 20:34 phpbb_deface
-rw-r--r-- 1 apache wheel 21 Dec 5 01:36 phpbb_what_you_need
-rw-rw---- 1 majordomo wheel 0 Dec 4 11:50 resend.debug
-rw------- 1 apache wheel 19955 Dec 27 09:18 sess_1cd45b5c8aba4fc780fba
-rw-r--r-- 1 root wheel 53 Dec 18 05:00 up.tst25167
-rw-r--r-- 1 root wheel 53 Dec 4 05:00 up.tst5524
-rw-r--r-- 1 root wheel 53 Dec 11 05:00 up.tst58700
-rw-r--r-- 1 root wheel 53 Dec 25 05:00 up.tst8826
-rw-r--r-- 1 apache wheel 47 Dec 27 03:56 white_house
help appreciated thanks
I always see this script running:
apache 76533 85.4 0.3 3784 3152 ?? R 3:56AM 277:47.22 /usr/local/firewall (perl)
# ls -aul /usr/local/firewall
ls: /usr/local/firewall: No such file or directory
it seems like a perl script, i have like 100 of users, how do i find out
which exactly user or dir path is this script running from?
some weird files in /tmp
# ls -aul /tmp
total 1
drwxrwxrwt 3 root wheel 1536 Dec 27 09:26 .
drwxr-xr-x 20 root wheel 512 Dec 27 03:01 ..
-rw-rw-rw- 1 root wheel 4 Dec 23 15:22 .27400.1b8140
drwxrwxrwt 2 root wheel 512 Dec 27 03:01 .X11-unix
-rw-r--r-- 1 apache wheel 0 Dec 24 00:47 .warez
-rw-r--r-- 1 apache wheel 0 Dec 6 07:09 .wonderland
-rw-rw---- 1 majordomo wheel 534 Dec 4 04:40 majordomo.debug
srwxrwxrwx 1 mysql wheel 0 Dec 24 23:11 mysql.sock
-rw-r--r-- 1 apache wheel 47 Dec 23 02:06 phpbb2_Q
-rw-r--r-- 1 apache wheel 47 Dec 10 20:34 phpbb_deface
-rw-r--r-- 1 apache wheel 21 Dec 5 01:36 phpbb_what_you_need
-rw-rw---- 1 majordomo wheel 0 Dec 4 11:50 resend.debug
-rw------- 1 apache wheel 19955 Dec 27 09:18 sess_1cd45b5c8aba4fc780fba
-rw-r--r-- 1 root wheel 53 Dec 18 05:00 up.tst25167
-rw-r--r-- 1 root wheel 53 Dec 4 05:00 up.tst5524
-rw-r--r-- 1 root wheel 53 Dec 11 05:00 up.tst58700
-rw-r--r-- 1 root wheel 53 Dec 25 05:00 up.tst8826
-rw-r--r-- 1 apache wheel 47 Dec 27 03:56 white_house
help appreciated thanks
ASKER
-> check the /proc/76533/exe symlink - where it points?
how do i check?
how do i check?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also read the content /proc/76533/cmdline # can points to the real script
netstat -ltunp | grep 76533 # to see if the process has some IP ports open in listen state
netstat -tunp | grep 76533 # to see if it has any connections started
lsof | grep 76533 # to see which files it has opened