overload on server

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19249 apache 25 0 7768 3648 1892 R 97.8 0.7 94:58.17 perl

99% cpu used for that process !!

When press c runing top see:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19249 apache 25 0 7768 3648 1892 R 99.9 0.7 95:21.87 [httpd]

Some idea what is this?

How trace what is the trouble?

If this is still happening the first thing I’d do do is

killall httpd

and then

service httpd start

and wait to see if it happens again.

If it does you’ve probably been hacked and need to investegate. (In either event an investegation is a good idea).

Assuming a hack the likely cuplrit is an out of date version of a php script such as phpBB, Nuke, etc.

There are many posts on the forums here about investegating a hacked box.

You can run the command top and see what the pid number and should be able to do a bit more reasearch from there.

Thanks,
Clint

He already has the PID = 19249 :slight_smile: But yeah top gives a lot of usefull info as well

Fixed with mod_security
Really usefull tool !
I reocmend to interworx people add that !!
Its really amazing and super easy to use !

Check out gotroot.com

GREAT! stuff.

Clint

check out gotroot.com

great stuff.

Clint

Yes Mod_security is ONE of the security tools to have (some others to have is at r-fx.org)

You mean that you now block all PERL processes ?

I think your pbm may come back, a day or an other…

If it is, I’d do a strace -f-p PID

It will show you a trace of the process PID, and may tell you from which website the pbm is cming.

You’d also check you /tmp directory (ls -al /tmp) and looking for supsicious text file and delete them (lot of irq robot)

Also I suggest you to change your /tmp, to mount it without exe perm.
Not sure If you can easily do this last things, without reformating ALL your HDD (not sure, but let me know)

Pascal

Just a couple of side notes. Changing a partition to use noexec isn’t difficult (as long as it’s not the / partition). Just edit the fstab and then remount the partition, either by manually unmounting than mounting again, or by using the ‘-o remount’ param.

However, changing /tmp to ‘noexec’ has been known to cause problems with logrotate. This is not an InterWorx problem, but a problem with logrotate. If you do mount /tmp with ‘noexec’, you’ll start to get error messages from logrotate. Googling will provide workarounds that other people have found for this problem.

Socheat

Changing a partition to noexec isn’t difficult indeed, but changing a /tmp directory to a partition is a little more complex. Isnt’it ?

I used this method a long time ago

About the logrotate, you right Socheat.
The man on logrotate says you can put shell commands between the “prerotate” and “endscript” sections of the configuration file.
So we could try putting something like

prerotate
mount -o remount,exec /tmp
mount -o remount /tmp
endscript

Ah, ok, I misunderstood. You are right, if /tmp isn’t already it’s own partition, it could be difficult. And you are also correct about the prerotate and endscript options, though I’ve never tried it myself.

Socheat

haha you didn’t misunderstood, I’d really done a bad explanation :slight_smile: