DirectAdmin PIDs keep increasing

[Exprezstar]

Hi,

I am running DA 1.33 on CentOS 5.2, and there are an unusually large number of DA PIDs and Apache PIDs, with the DA PIDs increasing every refresh.

It does sound like I've got a trojan horse in the system. "/var/tmp" is empty and I suspect it's linked elsewhere since

$ ls -laF
total 16
drwxrwxrwt  2 root root 4096 Feb 20 00:40 ./
drwxr-xr-x 29 root root 4096 Feb 20 00:40 ../

Can someone please tell me how to get rid of the rogue processes?

My /var/tmp is already mounted with the following:

/dev/VolGroup00/LogVol01 /tmp                    ext3    loop,rw,noexec,nosuid,nodev        0 0

Appreciate any help. Am at my wit's end.

 

[scsi]

You talk about pids yet you show no ps output.

 

[Exprezstar]

ps -ef | grep apache
apache   28201 28195  0 01:28 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28202 28195  0 01:28 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28203 28195  0 01:28 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28204 28195  0 01:28 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28205 28195  0 01:28 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28288 28195  0 01:28 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28295 28195  0 01:29 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28297 28195  0 01:29 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
apache   28298 28195  0 01:29 ?        00:00:00 /usr/sbin/httpd -k start -DSSL
-user-   28525 19892  0 01:31 pts/4    00:00:00 grep apache

 

[Exprezstar]

$ ps -ef | grep nobody
nobody   28151     1  0 01:27 ?        00:00:00 /usr/local/directadmin/directadmin d
nobody   28838 28151  0 01:36 ?        00:00:00 /usr/local/directadmin/directadmin d
nobody   28839 28151  0 01:36 ?        00:00:00 /usr/local/directadmin/directadmin d
nobody   28840 28151  0 01:37 ?        00:00:00 /usr/local/directadmin/directadmin d
nobody   28844 28151  0 01:37 ?        00:00:00 /usr/local/directadmin/directadmin d
nobody   28845 28151  0 01:37 ?        00:00:00 /usr/local/directadmin/directadmin d

 

[scsi]

looks normal to me

 

[Exprezstar]

looks normal to me

The PIDs increase at every instance of the refresh, is this normal?

 

[Exprezstar]

The PIDs increase at every instance of the refresh, is this normal?

Forgot to mention, there are 6 instances. 5 increase at every refresh. And the server is not getting any DA traffic at the moment.

1. directadmin directadmin (pid 9787 10252 10254 10255 10256 10257 )
2. directadmin directadmin (pid 9787 10281 10282 10290 10291 10293 )
3. directadmin directadmin (pid 9787 10336 10337 10339 10340 10341 )

Taken at 5 second intervals

 

[tillo]

Depending on your apache MPM config, yes it can be normal.
DA usually forks 5 times and keeps those processes active, but it may be some constant refresh for whatever reason.

To be sure that the httpd processes are launched by the master httpd process, and same thing for directadmin, just run "pstree -up" and look at the tree. There shouldn't be any "bash" or "sh" process before them, and they shouldn't be attached directly to the "init" process.
If they do, check in "proc/<PID number>" that all the variables are normal (for example, that the "exe" symlink points to the exact location of the directadmin or httpd binary).

 

[Exprezstar]

Thanks for the reply tillo.

        ├─directadmin(9787,nobody)─┬─directadmin(10361)
        │                          ├─directadmin(10362)
        │                          ├─directadmin(10363)
        │                          ├─directadmin(10364)
        │                          └─directadmin(10422)

I got this, so I guess I'm fine. But that still doesn't explain the /var/tmp being empty.

Pardon my paranoia, but I just copied over some files from another DA machine hacked by the RoundCube exploit, so I'm wondering if the bad scripts made their way over. I certainly hope not. BTW, I've already done "./build php_secure" on this server.

 

[Exprezstar]

Something's not right. My /var/tmp is still showing the dud directory listing (see first post) even after a reboot. Can anyone help?

 

[DirectAdmin Support]

Hello,

/var/tmp is not /tmp .. unless you've got is symbolically linked to /tmp.

ls -lad /var/tmp
ls -lad /tmp

Regarding the PIDs increasing, that's how DA is designed.

There is 1 parent process.. and each request you make (reloading that page) creates a new child.
Child processes die (exit) once they're done serving that 1 request, and a new one is spawned by the parent process.
This is normal, there is nothing wrong with that.

John