since this morning, I have a huge pbm with the interworx-cp httpd server.
There is an other httpd running named hsphere. [SIZE=2]I didn’t install this at all.[/SIZE]
When I stop my httpd services and kill all /hsphere/…/httpd jobs then restart the httpd service, the hpshere httpd server is coming back. Is it a hack ?
18837 ? S 0:00 /usr/sbin/httpd -DSSL
18840 ? S 0:00 _ /usr/sbin/httpd -DSSL
18865 ? Z 0:00 | _ [sh <defunct>]
18841 ? S 0:01 _ /usr/sbin/httpd -DSSL
18842 ? S 0:00 _ /usr/sbin/httpd -DSSL
18843 ? S 0:00 _ /usr/sbin/httpd -DSSL
18844 ? S 0:00 _ /usr/sbin/httpd -DSSL
19490 ? Z 0:00 | _ [sh <defunct>]
18846 ? S 0:00 _ /usr/sbin/httpd -DSSL
19482 ? Z 0:00 | _ [sh <defunct>]
18848 ? S 0:02 _ /usr/sbin/httpd -DSSL
18849 ? S 0:00 _ /usr/sbin/httpd -DSSL
18850 ? S 0:00 _ /usr/sbin/httpd -DSSL
18851 ? S 0:00 _ /usr/sbin/httpd -DSSL
18874 ? S 0:01 _ /usr/sbin/httpd -DSSL
18875 ? S 0:00 _ /usr/sbin/httpd -DSSL
18869 ? R 0:47 /hsphere/shared/apache/bin/httpd -DSSL
18872 ? S 0:00 /usr/bin/httpd -DSSL
19486 ? R 0:50 /hsphere/shared/apache/bin/httpd -DSSL
19489 ? S 0:00 /usr/bin/httpd -DSSL
19501 ? S 0:00 /hsphere/shared/apache/bin/httpd -DSSL
19504 ? S 0:00 /usr/bin/httpd -DSSL
the [sh <defunct>] seems to be a perl pgm. I have a huge perl pgms running in top.
I have updated my databases updatedb and tried to locate hsphere (locate hsphere) but I didn’"t find it :\
Do you know a tools to check if some files have changed ? has been corrupted or … to check if I’ve been hack.
The pbm now is that I had to stop my httpd services because as soon as I start it all the perl pgm and hsphere httpd restart. My loadaverage then goes up to 50.
Check your /tmp and should will probably find worm.txt and bot.txt files. The attacker most likely go in through the recent phpBB vulnerabilities and used them to download / execute the bot. The script runs with the /hsphere path on purpose to throw off investigations.
How to protect? use a firewall to block unused ports (the script uses 6667 to communicate), install mod_security to filter out “bad” URLs as you find them, chmod wget 700 as the script uses wget to get the file and finally UPDATE PHPBB!
You won’t find anything via rkhunter or chkrootkit as this isn’t a rootkit or even a root exploit.
that is a source RPM if I’m not mistaken so it puts the files it extracts in the same place (subdirectory) as your other RedHat (or CentOS or whatever you are runnung) sources. Can’t remember right now. You then need to compile it.
Chris, where is wget to chmod it (in a bin directory somewhere I assume)?
To both of you (and anyone else reading) I hope you had a great Chrismas and have a happy new year!