Script to detect illegal apache processes

floyd said:
That means nothing will be excluded and kill all your legitimate apache processes. Script edited above.
Click to expand...

I'm not sure if I understand what you mean.
Emptying $exclude2 at the beginning of the while loop will not cause "nothing will be excluded", as $exclude2 gets filled based on $exclude later in the loop.

But I agree, your solution is nicer, just place the $exclude2 filling outside if the while loop.

Thanks for adding the $bodyofemail = ""; too.
 
I a giving this a try, and untill now it seams to e working even so i dont undertand the email i have juste received.
apache 22404 0.7 0.0 0 0 ? R 17:06 0:04 [httpd]

total 0
-r-------- 1 root root 0 jan 27 17:16 auxv
--w------- 1 root root 0 jan 27 17:16 clear_refs
-r--r--r-- 1 root root 0 jan 27 17:06 cmdline
-rw-r--r-- 1 root root 0 jan 27 17:16 coredump_filter
lrwxrwxrwx 1 root root 0 jan 27 17:16 cwd
-r-------- 1 root root 0 jan 27 17:16 environ
lrwxrwxrwx 1 root root 0 jan 27 17:16 exe
dr-x------ 2 root root 0 jan 27 17:16 fd
dr-x------ 2 root root 0 jan 27 17:16 fdinfo
-r-------- 1 root root 0 jan 27 17:16 limits
-r--r--r-- 1 root root 0 jan 27 17:16 maps
-rw------- 1 root root 0 jan 27 17:16 mem
-r--r--r-- 1 root root 0 jan 27 17:16 mounts
-r-------- 1 root root 0 jan 27 17:16 mountstats
-rw-r--r-- 1 root root 0 jan 27 17:16 oom_adj
-r--r--r-- 1 root root 0 jan 27 17:16 oom_score
lrwxrwxrwx 1 root root 0 jan 27 17:16 root
-r--r--r-- 1 root root 0 jan 27 17:16 smaps
-r--r--r-- 1 root root 0 jan 27 17:06 stat
-r--r--r-- 1 root root 0 jan 27 17:16 statm
-r--r--r-- 1 root root 0 jan 27 17:06 status
dr-xr-xr-x 3 apache apache 0 jan 27 17:16 task
-r--r--r-- 1 root root 0 jan 27 17:16 wchan
Click to expand...
So there is something not normal about a process, but i must say i dont see what.
Do you?

I suppose its really specifique to every server, but just in case you see something i dont...

Thx,
Sky
 
I am not sure what [httpd] is. I started to exclude it but then one day I saw something masquerading as [httpd] that needed to be killed (some kind of bot) so I did not exclude it. When I try to google it google ignores the [] so I cannot seem to find anything on it. Hopefully somebody else here knows and maybe we can figure out some parameters so that we can determine which ones should be killed and which ones should not.
 
Last edited:
I hate it when someone goes thru all the work that Floyd did on this one (excellent job) - to find out later that someone already invented the wheel.

I'm not bashing Floyd at all, I admire his determination and thank him for his work - please take this in the spirit intended.

We've used http://www.webhostgear.com/353.html for a long time, seems to be reliable.
 
There are dozens of post about people having problems with malicious process like this. I have had the problem myself. I got tired of having to log in and check out what was wrong and then kill a process. After several times I was able to figure out what to look for each time. So if I could look for the same things every time so could a script. I have posted many times about how I use a script to detect these processes.

At least one person asked about me releasing it. At those times I was not prepared to release it because it was all jumbled up and basically only I or a programmer could understand it. So I took some time to rewrite it so that the average person could understand the options that needed to be changed so that it could work.

I am not irritated at all that something had already been done. I will probably replace mine with this one. I am glad to have something that is probably better than mine. In fact its good to know that I had the same basic idea and thought process as a professional programmer.

Joe I guess you don't read the forum as much as I do. But there have been a lot of people here who could have used this information a long time ago. Thanks for posting it now and I will put the link in my first post.
 
Last edited:
Admitedly, I've been busier than normal with new customers and a datacenter relocation - but now that the major headaches are over, I intend to be a lot more active here. I enjoy sharing knowledge with others - and learning from others as well.

I don't know about "better" - maybe some of your concepts could be used to improve the nobody script and make that even better. It is a couple years old, but still, IMHO, very functional.

Thanks for your ideas!
 
hostpc.com said:
We've used http://www.webhostgear.com/353.html for a long time, seems to be reliable.
Click to expand...

Well in less than 24 hours it killed a legitimate process on one server I am testing. The problem is it doesn't tell me hy it killed it. It just says "DETECTED Malicious Processes: 1" and tells me the script name and location. The script is a legitimate cgi script running as a regular user.
 
Last edited:
Here is another one that got killed.

/usr/local/frontpage/version5.0/exes/_vti_bin/_vti_aut/author.exe
Click to expand...

Being run by a legitimate user. I guess I will have to open the hood and try to figure out what its doing. But this is usually why I write my own. By the time I fix somebody else's stuff I could have written it myself.
 
There is a loaddata.pl script that consistently trips it, I'm not sure, it might be part of Drupal or WordPress, don't remember. But, it only trips for us if it runs for much longer than it should.

Is this an older box running php4 that you've got frontpage enabled on?
 
Bummer. Sorry dude, I never encountered that issue.

OTOH, I'm interested in that frontpage module. Care to share some info - or a link?
 
hostpc.com said:
Is this an older box running php4 that you've got frontpage enabled on?
Click to expand...

floyd said:
Its got FrontPage but its php5 module
Click to expand...

hostpc.com said:
OTOH, I'm interested in that frontpage module. Care to share some info - or a link?
Click to expand...


Two separate answers to your question above. I have FrontPage enabled AND I am running php5 as an apache module.

So I am not sure what your last question is about?
 
You must log in or register to reply here.
Back
Top