Solved

Something is done via perl on webserver - how can i find the causing script ?

Posted on 2014-11-20
4
180 Views
Last Modified: 2014-11-20
Hi,

on a webserver there is something wrong (in my opinion). Perl is using much CPU. If i use lsof on its PID, i get this:

COMMAND PID    USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
perl    693 uvftpzg  cwd    DIR    8,1     4096        2 /
perl    693 uvftpzg  rtd    DIR    8,1     4096        2 /
perl    693 uvftpzg  txt    REG    8,5  1648400 17983266 /usr/bin/perl
perl    693 uvftpzg  mem    REG    8,5    31512 17796254 /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi/auto/Socket/Socket.so
perl    693 account6663  mem    REG    8,5    27464 51082960 /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi/auto/IO/IO.so
perl    693 account6663  mem    REG    8,1  1495120   783548 /lib64/libc-2.8.so
perl    693 account6663  mem    REG    8,1   142867   783542 /lib64/libpthread-2.8.so
perl    693 account6663  mem    REG    8,1    61240   783534 /lib64/libcrypt-2.8.so
perl    693 account6663  mem    REG    8,1    16040   783530 /lib64/libdl-2.8.so
perl    693 account6663  mem    REG    8,1   380776   783535 /lib64/libm-2.8.so
perl    693 account6663  mem    REG    8,1   131240   783549 /lib64/ld-2.8.so
perl    693 account6663  0r  FIFO    0,5      0t0    84033 pipe
perl    693 account6663  1w  FIFO    0,5      0t0    84034 pipe
perl    693 account6663  2w  FIFO    0,5      0t0    84035 pipe
perl    693 account6663  3u  IPv4 146573      0t0      TCP domainname.com:56158->ns1.openhost.lv:arcp (ESTABLISHED)
perl    693 account6663  187r  FIFO    0,5      0t0     8206 pipe
perl    693 account6663  188w  FIFO    0,5      0t0     8206 pipe
perl    693 account6663  189r  FIFO    0,5      0t0     8207 pipe
perl    693 account6663  190w  FIFO    0,5      0t0     8207 pipe



What exactly does this mean ? I dont know "ns1.openhost.lv:arcp" ...
How can i find out which script is used for this ?


Thanks
0
Comment
Question by:loosain
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
Jan Springer earned 250 total points
ID: 40456140
run a quick check of tmp "ls -al /tmp" for programs/files that don't belong

"ls -alR /etc/cron*" for any install cron jobs

"find / -user account6663" to first find the files owned by this account
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 40456340
Look for its PPID.

Grep arcp /etc/services.

This looks like a socket app, but there is no way to say what it is doing, using strace -f -p PID may show what it is doing.

But using ps, and track down up to the parent.

Look in crons, services chkconfig --list.

....
0
 
LVL 77

Expert Comment

by:arnold
ID: 40456351
Searching for port arcp to which your system is connected, suggests it might be a Trojan/compromise.

Do you know what should be running on your system?
0
 

Author Closing Comment

by:loosain
ID: 40456459
Thanks. I found a script that should not be there which is causing all this. I moved it away and now no ports are open or perl-scripts a running so far.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now