Reese Knowledgebase

killing off those pesky perl scripts running as apache

View Kristian Reese's profile on LinkedIn


If you like this article, please +1 or Recommend via FB with the provided buttons above:

Article ID: 100
by: Reese K.
Posted: 24 Apr, 2013
Last updated: 09 Jul, 2013
Views: 1523

Got Hacked?

It can often times be difficult to identify how intruders are making their way into a system and launching perl scripts, only to delete their tracks and leave the scripts running in memory.  Though it can be tedious, I've been null routing any suspect IPs to which these perl scripts connect to, and/or block outbound access to port 6667 altogether, thus preventing control of the VPS via IRC.  This buys some time anyway so that checks can be run periodically in order to kill these things off and notify customers to secure their sites (yeah right!).  okay, so that's unlikely, but we do what we can to mitigate which sometimes involves using a kludge:

First, list the CTIDs that are compromised:

for veid in $(vzpid $(ps -U apache | grep perl | awk '{ print $1 }') | awk '{ print $2 }' | grep -v VEID | sort -n | uniq); do vzlist -H $veid; done

for pid in $(ps -U apache | grep perl | awk '{ print $1 }'); do vzpid $pid | grep -v VEID; done

Now run through them and kill off those pesky perl scripts:

for veid in $(vzpid $(ps -U apache | grep perl | awk '{ print $1 }') | awk '{ print $2 }' | grep -v VEID | sort -n | uniq)
do
  vzctl exec $veid "kill -9 \$(ps -U apache --no-headers -o pid); /etc/init.d/httpd restart"
done

or in one command:

for veid in $(vzpid $(ps -U apache | grep perl | awk '{ print $1 }') | awk '{ print $2 }' | grep -v VEID | sort -n | uniq); do vzctl exec $veid "kill -9 \$(ps -U apache --no-headers -o pid); /etc/init.d/httpd restart"; done

Don't forget to look for which IP these hosts are connecting to and null route that IP on the hwnode.  In the past, I've notified providers of that IP to let them know that their server has been compromised.  This has proven especially helpful when they do take action and shutdown or correct the problem on their end.

This article was:   Helpful | Not Helpful
Prev   Next
Installing and configuring Clam AntiVirus for Linux     PHP Fatal error: Class 'HTML' not found in elements.php3

RSS