?
Solved

How to check who is running PERL script in my Centos/Linux  server ?

Posted on 2009-04-30
13
Medium Priority
?
763 Views
Last Modified: 2013-11-30
Hi,

I would like to request an assistant.

May i know how to check who is running PERL script in my Centos/Linux  server ?

FYI, i would like to check who is running "check.cgi" that are sending SPAM using that scripts.

I have tried the following command in attachment but still can't find who is running it and where he put the files.

lsof -p pid , just give me a bunch of process runned with no indication where is the file located.

updatedb and locate check.cgi also produce no result, but in top check.cgi is still running.

Appreciates if anybody can help.


Thank you.


top - 09:29:07 up 32 days,  6:48,  2 users,  load average: 5.95, 6.49, 7.06
Tasks: 162 total,   3 running, 159 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.3%us,  5.6%sy, 41.7%ni, 16.3%id, 35.5%wa,  0.0%hi,  0.5%si,  0.0%st
Mem:   4149668k total,  3946364k used,   203304k free,    94248k buffers
Swap:  2096376k total,      104k used,  2096272k free,  2621160k cached
 
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
27692 nobody    19   4 12128 7932 1448 S 17.0  0.2 133:32.45 check.cgi
15923 nobody    19   4  9976 5772 1436 S 16.6  0.1 149:30.03 check.cgi
28407 nobody    19   4 10092 5808 1444 R 16.6  0.1 132:54.05 check.cgi
20824 nobody    19   4  204m  85m 5840 S  8.0  2.1   0:02.78 httpd
14119 mysql     21   6  604m 361m 4944 S  7.6  8.9   1889:12 mysqld
 
 
 
root@svr9 [~]# ps aux |grep 15923
nobody   15923 18.5  0.1   9976  5772 ?        SNs  Apr30 149:34 /usr/bin/perl -w ./check.cgi
root     21310  0.0  0.0   3920   664 pts/0    D+   09:29   0:00 grep 15923

Open in new window

0
Comment
Question by:smksa
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 85

Expert Comment

by:ozo
ID: 24276232
what httpd server are you running?
does it have a log file?
can you add logging code to the check.cgi program?
0
 
LVL 2

Author Comment

by:smksa
ID: 24276276
I'm using apache 2.0 .
Yes, it have a log file but do not have the check.cgi entry .

May i know how to add the logging code to check whether check.cgi is running ?

0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 24277255
Try lsof - u nobody to find where check.cgi is
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 2

Author Comment

by:smksa
ID: 24277303
I have runned the lsof -u nobody , it seems got thousand of line ....

The last line is the email spam going out .....

I still can't find where is the check.cgi reside.

Any other way, i can detect whois running this perl script and where is it ?

Hope you can help.
0
 
LVL 3

Expert Comment

by:nevvamind
ID: 24277385
did you try this 1st of all ?
cd /
find . -name check.cgi

Open in new window

0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 24277465
Try lsof -u nobody | grep check.cgi
0
 
LVL 19

Expert Comment

by:jools
ID: 24277956
Take a look in /proc/27692/cmdline

0
 
LVL 19

Expert Comment

by:jools
ID: 24278255
if you look in /proc/<pid>/cwd you'll see the current work directory. ls -al /proc/<pid>/cwd should show the directory the command is running from.
0
 
LVL 2

Author Comment

by:smksa
ID: 24278585
Hi,

It only show the following :

root@svr9 [~]# ls -al /proc/32190/cwd
lrwxrwxrwx 1 nobody nobody 0 May  1 20:36 /proc/32190/cwd -> //

root@svr9 [~]# cat /proc/31568/cmdline
/usr/bin/perl-w./check.cgi

Anybody have any idea ?

0
 
LVL 17

Accepted Solution

by:
owensleftfoot earned 2000 total points
ID: 24278984
cat /proc/27692/environ will give you the working directory of the script
0
 
LVL 19

Expert Comment

by:jools
ID: 24279020
thanks owensleftfoot, I was trying to find a system I could log onto to check.
0
 
LVL 12

Expert Comment

by:Hugh Fraser
ID: 24281157
The "ps axjf" command will print a process "tree", from which you will be able to find the parent process of the perl command (and its parent,...). Perl doesn't generally keep the soirce file open once it's been read, so the lsof command generally won't point you to it. But "lsof -p pid" on the parent process may provide more information, as will owensleftfoot's instructions.
0
 
LVL 19

Expert Comment

by:jools
ID: 24282289
I thought this may help;
   http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_21675761.html

I knew it rang a bell of sorts...
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question