Server Having High Load from Apache

[Cytoplasm]

Hey Guys,
Need some help here. Currently my server specification are
Dual AMD Opteron 246
2GB RAM.

Just recently i have this high load coming from Apache execing Perl.

Even after i kill the processor it returns back about later and taking up to 99.9% of my 1 processor.

Is there anyway to check who is the one execing or what is it running?

 

[Cytoplasm]

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
11843 apache 25 0 9000 3848 1892 R 99.8 0.2 0:41.28 perl

 

[Ramsy]

You might want to rebuild it

 

[nobaloney]

Why rebuild the server Ramsey? It's probably not going to change anything.

Generally this is caused by a runaway perl or php program.

Jeff

 

[calimero1505]

And is there any solution for it? I'm running into the same problems.

 

[sebaX]

I have the same problem

8992 apache 25 0 9244 3728 1796 R 83.7 0.2 239:33.10 perl
7985 apache 25 0 7740 3728 1796 R 55.8 0.2 40:29.74 perl
4719 apache 25 0 9228 3728 1796 R 46.8 0.2 259:23.04 perl

 

[calimero1505]

I found the problem. The server was exploited due a leak in Joomla simpleboard component.

Look in your /tmp folder to see if there are files like BATEK.TXT or BOTEK.TXT. If there, you have the same problem

Maybe i can help you out. Send PM .

 

[xemaps]

http://www.dshield.org/

 

[either]

1) When loading is high, check /tmp and you should find (use: ls -alR /tmp | grep txt):

/tmp/bot.txt or
/tmp/botek.txt or
/tmp/.i/wat.txt or
etc.

2) Check cron for user apache (crontab -u apache -l) and if you did not set it, delete it (crontab -u apache -r).
Check also cron users (ls -al /var/spool/cron - on linux)

3) (If cron is not set) Check your system at locations:
/home/* and
/usr/local/*

and try to find the file called f-u-c-k (without hyphens, NOTE: file has a bizarre name) and delete the whole folder.

Do you have safe mode on or off?
We had problems just with servers with safe mode off.

 

[either]

Solutions:

1) Change safe mode to on.

or

2) Install mod_security and use rootkits.

Disable some php functions at your php.ini file.

Find disable_functions and add functions:

disable_functions = exec,system,pcntl_exec,parse_ini_file,show_source,curl_exe,shell_exec,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,apache_note,apache_setenv,closelog,debugger_off,debugger_on,define_syslog_variables,openlog,syslog

Then restart Apache:
/sbin/service httpd restart (on linux)

 

[existenz]

While mod_security is a very good suggestion you can't just install it and think it will keep you safe. Like all script you need to make sure you are using just enough privlages to make that script work, and that you keep it updated.