Trouble-making perl scripts avoiding identification - how to snatch then?

Hello

I have a problem, I haven’t found a way to solve.

One of own OpenSuSE servera is bombarding our firewall crazily but I can’t find out what is the reason.

With top and ps I can analyze it to some extent, but not enough to really pinpoint the problem.

There are two contractors who have produced net applications to the site and I would like to know which of them or if it is something different altogether.

What I have done:

By top and ps I have found out that there are six processes that are running over 10 percent load on CPU each. Top lists them as perl and by ps I get command line as /usr/sbin (whatever the ps switches). The process is run by wwwrun.

I think if I could get the real command line, the pin-pointing would be straightforward but ow I just can’t get anything more out of it.

I would very much appreciate any further debugging hints.

I also hope this is the right forum,as this is my first post here

Thanks for any hints or pointers. If I can give further info, just ask.

hannu

Susehannu wrote:
> By top and ps I have found out that there are six processes that are
> running over 10 percent load on CPU each. Top lists them as perl and by
> ps I get command line as /usr/sbin (whatever the ps switches). The
> process is run by wwwrun.

ps should show you the full command-line. Please post the actual ps
commands you have tried and the actual output. Note that you may need to
make your terminal window wider.

This is one process simple with w parameter

ps w 3922
PID TTY STAT TIME COMMAND
3922 ? R 10521:57 /usr/sbin/

actually this the most I ever got for that line with whatever parameters (like aux, auxw,…)

hannu

On 2012-01-27 13:46, Susehannu wrote:
>
> This is one process simple with w parameter
>
> ps w 3922
> PID TTY STAT TIME COMMAND
> 3922 ? R 10521:57 /usr/sbin/
>
> actually this the most I ever got for that line with whatever
> parameters (like aux, auxw,…)

You have the PID. You can get the command line from /proc/3922/cmdline, and
much more.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Carlos E. R. wrote:
> On 2012-01-27 13:46, Susehannu wrote:
>> This is one process simple with w parameter
>>
>> ps w 3922
>> PID TTY STAT TIME COMMAND
>> 3922 ? R 10521:57 /usr/sbin/
>>
>> actually this the most I ever got for that line with whatever
>> parameters (like aux, auxw,…)
>
> You have the PID. You can get the command line from /proc/3922/cmdline, and
> much more.

I’m a bit concerned why the ps isn’t reporting the command-line. It
seems like the program must have done something unusual, and perhaps
bad, such as overwriting its $0. In which case /proc/3922/cmdline will
contain the same rubbish.

Also, the /usr/sbin is a little worrying. The script shouldn’t be
running as root should it? So shouldn’t have anything to do with /usr/sbin.

I’d be poking through the sources of those programs.

Sorry for delay in responding. We had another (totally unconnected problem elsewhere and then I had to leave before I had time to respond)

It is exactly as you thought. The /proc/3922/cmdline was empty.

I have to dig in deeper in this.

Thank you.

If I find something new to ask, I’ll drop in.

It is very probable that I can’t report the cause (probably the code produced by one contractor) but I am very grateful for help :slight_smile:

Best regards

hannu

On 2012-01-27 20:56, Susehannu wrote:

> It is exactly as you thought. The /proc/3922/cmdline was empty.

That doesn’t look good. It is suspicious.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

I know. I rebooted the computer yesterday and now there are no such processes. I understand that the remedy almost surely isn’t the final one, but at least the situation is at least for now a bit better.

I shall have a very keen eye for this server and I probably have to replace it if the situation ever repeats.

I want to thank you for the help. Unfortunately I have such a large responsibility region that I can’t swim deep enough in any system, so good help is always appreciated :slight_smile:

hannu (programmer, database administrator and Linux admin plus part-time Windows/ESX/Sharepoint etc admin) :wink: