Determine from where is "sh" being run under apache www-data user using using PF or NETSTAT
Posted
by
Eugene van der Merwe
on Server Fault
See other posts from Server Fault
or by Eugene van der Merwe
Published on 2013-10-26T08:16:44Z
Indexed on
2013/10/26
9:56 UTC
Read the original article
Hit count: 221
I am working with a compromised Ubuntu 8.04 Plesk 9.5.4 server. It seems that a script on the server is continuously doing reverse lookups to random IPs on the Internet.
I first spotted it during by using top
and then noticed flashes of this coming up continuously:
sh -c host -W 1 '198.204.241.10'
I wrote a this script to interrogate ps
every 1 second to see how frequently this script happens:
#!/bin/bash
while :
do
ps -ef | egrep -i "sh -c host"
sleep 1
done
The results are that this script runs often, every few seconds:
www-data 17762 8332 1 10:07 ? 00:00:00 sh -c host -W 1 '59.58.139.134'
www-data 17772 8332 1 10:07 ? 00:00:00 sh -c host -W 1 '59.58.139.134'
www-data 17879 17869 0 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
www-data 17879 17869 1 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
www-data 17879 17869 0 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
root 18031 17756 0 10:07 pts/2 00:00:00 egrep -i sh -c host
www-data 18078 16704 0 10:07 ? 00:00:00 sh -c host -W 1 '59.58.139.134'
www-data 18125 17996 0 10:07 ? 00:00:00 sh -c host -W 1 '91.124.51.65'
root 18131 17756 0 10:07 pts/2 00:00:00 egrep -i sh -c host
www-data 18137 17869 0 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
www-data 18137 17869 1 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
My theory is if I can see who is launching the sh
process or form where it's launched I can isolate the problem further.
Can somebody please guide me using netstat
or ps
to identify from where sh
is being run?
I might get many suggestions that the OS is out of date and so the Plesk, but please bear in mind there are some very concrete reasons why this server is running legacy software. My question is aimed at a advanced Linux systems administrators who have in depth experience with security compromises and using netstat
and ps
to get to the bottom of it.
© Server Fault or respective owner