Results 1 to 8 of 8

Thread: Trouble-making perl scripts avoiding identification - how to snatch then?

  1. #1

    Question Trouble-making perl scripts avoiding identification - how to snatch then?

    Hello

    I have a problem, I haven't found a way to solve.

    One of own OpenSuSE servera is bombarding our firewall crazily but I can't find out what is the reason.

    With top and ps I can analyze it to some extent, but not enough to really pinpoint the problem.

    There are two contractors who have produced net applications to the site and I would like to know which of them or if it is something different altogether.

    What I have done:

    By top and ps I have found out that there are six processes that are running over 10 percent load on CPU each. Top lists them as perl and by ps I get command line as /usr/sbin (whatever the ps switches). The process is run by wwwrun.

    I think if I could get the real command line, the pin-pointing would be straightforward but ow I just can't get anything more out of it.

    I would very much appreciate any further debugging hints.

    I also hope this is the right forum,as this is my first post here

    Thanks for any hints or pointers. If I can give further info, just ask.

    hannu

  2. #2

    Default Re: Trouble-making perl scripts avoiding identification - how tosnatch then?

    Susehannu wrote:
    > By top and ps I have found out that there are six processes that are
    > running over 10 percent load on CPU each. Top lists them as perl and by
    > ps I get command line as /usr/sbin (whatever the ps switches). The
    > process is run by wwwrun.


    ps should show you the full command-line. Please post the actual ps
    commands you have tried and the actual output. Note that you may need to
    make your terminal window wider.

  3. #3

    Default Re: Trouble-making perl scripts avoiding identification - how tosnatch then?

    This is one process simple with w parameter

    ps w 3922
    PID TTY STAT TIME COMMAND
    3922 ? R 10521:57 /usr/sbin/

    actually this the most I ever got for that line with whatever parameters (like aux, auxw,...)

    hannu

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Trouble-making perl scripts avoiding identification - how tosnatch then?

    On 2012-01-27 13:46, Susehannu wrote:
    >
    > This is one process simple with w parameter
    >
    > ps w 3922
    > PID TTY STAT TIME COMMAND
    > 3922 ? R 10521:57 /usr/sbin/
    >
    > actually this the most I ever got for that line with whatever
    > parameters (like aux, auxw,...)


    You have the PID. You can get the command line from /proc/3922/cmdline, and
    much more.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  5. #5

    Default Re: Trouble-making perl scripts avoiding identification - how tosnatch then?

    Carlos E. R. wrote:
    > On 2012-01-27 13:46, Susehannu wrote:
    >> This is one process simple with w parameter
    >>
    >> ps w 3922
    >> PID TTY STAT TIME COMMAND
    >> 3922 ? R 10521:57 /usr/sbin/
    >>
    >> actually this the most I ever got for that line with whatever
    >> parameters (like aux, auxw,...)

    >
    > You have the PID. You can get the command line from /proc/3922/cmdline, and
    > much more.


    I'm a bit concerned why the ps isn't reporting the command-line. It
    seems like the program must have done something unusual, and perhaps
    bad, such as overwriting its $0. In which case /proc/3922/cmdline will
    contain the same rubbish.

    Also, the /usr/sbin is a little worrying. The script shouldn't be
    running as root should it? So shouldn't have anything to do with /usr/sbin.

    I'd be poking through the sources of those programs.

  6. #6

    Default Re: Trouble-making perl scripts avoiding identification - how tosnatch then?

    Sorry for delay in responding. We had another (totally unconnected problem elsewhere and then I had to leave before I had time to respond)

    It is exactly as you thought. The /proc/3922/cmdline was empty.

    I have to dig in deeper in this.

    Thank you.

    If I find something new to ask, I'll drop in.

    It is very probable that I can't report the cause (probably the code produced by one contractor) but I am very grateful for help

    Best regards

    hannu

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Trouble-making perl scripts avoiding identification - how tosnatch then?

    On 2012-01-27 20:56, Susehannu wrote:

    > It is exactly as you thought. The /proc/3922/cmdline was empty.


    That doesn't look good. It is suspicious.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  8. #8

    Default Re: Trouble-making perl scripts avoiding identification - how tosnatch then?

    I know. I rebooted the computer yesterday and now there are no such processes. I understand that the remedy almost surely isn't the final one, but at least the situation is at least for now a bit better.

    I shall have a very keen eye for this server and I probably have to replace it if the situation ever repeats.

    I want to thank you for the help. Unfortunately I have such a large responsibility region that I can't swim deep enough in any system, so good help is always appreciated

    hannu (programmer, database administrator and Linux admin plus part-time Windows/ESX/Sharepoint etc admin)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •