Determine from where is "sh" being run under apache www-data user using using PF or NETSTAT
- by Eugene van der Merwe
I am working with a compromised Ubuntu 8.04 Plesk 9.5.4 server. It seems that a script on the server is continuously doing reverse lookups to random IPs on the Internet.
I first spotted it during by using top and then noticed flashes of this coming up continuously:
sh -c host -W 1 '198.204.241.10'
I wrote a this script to interrogate ps every 1 second to see how frequently this script happens:
#!/bin/bash
while :
do
ps -ef | egrep -i "sh -c host"
sleep 1
done
The results are that this script runs often, every few seconds:
www-data 17762 8332 1 10:07 ? 00:00:00 sh -c host -W 1 '59.58.139.134'
www-data 17772 8332 1 10:07 ? 00:00:00 sh -c host -W 1 '59.58.139.134'
www-data 17879 17869 0 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
www-data 17879 17869 1 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
www-data 17879 17869 0 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
root 18031 17756 0 10:07 pts/2 00:00:00 egrep -i sh -c host
www-data 18078 16704 0 10:07 ? 00:00:00 sh -c host -W 1 '59.58.139.134'
www-data 18125 17996 0 10:07 ? 00:00:00 sh -c host -W 1 '91.124.51.65'
root 18131 17756 0 10:07 pts/2 00:00:00 egrep -i sh -c host
www-data 18137 17869 0 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
www-data 18137 17869 1 10:07 ? 00:00:00 sh -c host -W 1 '198.204.241.10'
My theory is if I can see who is launching the sh process or form where it's launched I can isolate the problem further.
Can somebody please guide me using netstat or ps to identify from where sh is being run?
I might get many suggestions that the OS is out of date and so the Plesk, but please bear in mind there are some very concrete reasons why this server is running legacy software. My question is aimed at a advanced Linux systems administrators who have in depth experience with security compromises and using netstat and ps to get to the bottom of it.
