Find the answer to your Linux question:
Results 1 to 9 of 9
Hi, I have this when i do a netstat -tulpn Code: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 17565/apache2 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 17565/apache2 tcp 0 0 0.0.0.0:2200 0.0.0.0:* ...
  1. 06-09-2009 #1
    raghaven.kumar
    raghaven.kumar is offline
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209

    A unknown httpd process ??



    Hi,
    I have this when i do a netstat -tulpn
    Code:
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      17565/apache2
tcp        0      0 0.0.0.0:443              0.0.0.0:*               LISTEN      17565/apache2
tcp        0      0 0.0.0.0:2200            0.0.0.0:*               LISTEN      17628/httpd -DSSL
    and ps 17628 gives
    Code:
      PID TTY      STAT   TIME COMMAND
17628 ?        S      0:00 /usr/local/apache/bin/httpd -DSSL
    but in /usr/local
    Code:
    root@server:/usr/local# ls
bin  etc  games  include  lib  man  sbin  share  src  usermin-1.370  usermin-1.400
    as you can see theres no apache folder in this
    but this httpd -DSSL runs alongside apache2.
    Is it a anonymous process??

    PS: I am using Ubuntu 8.04 server and Apache/2.2.8 (Ubuntu)
    Reply With Quote Reply With Quote
  2. 06-12-2009 #2
    raghaven.kumar
    raghaven.kumar is offline
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    Update: I found that DSSL process is running from the postgres user
    Could it be a hackers doing?
    Code:
    root      2037  0.0  0.0   3004   764 pts/0    S+   16:04   0:00 grep postgres
postgres 20165  0.0  0.0   2216   584 ?        S    12:21   0:00 /usr/local/apache/bin/httpd -DSSL
                                                                          ? redone
    Also why the "?redone" shows in the ps aux | grep postgres .

    Reply With Quote Reply With Quote
  3. 06-14-2009 #3
    raghaven.kumar
    raghaven.kumar is offline
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    BUMP
    Does no one have any idea of it ??
    Reply With Quote Reply With Quote
  4. 06-14-2009 #4
    elija
    elija is offline
    Trusted Penguin elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    1,994
    Have you tried killing the process and seeing what stops working...

    ... the blunt axe approach to troubleshooting
    I need a new signature. This one is boring!

    My blog. It's probably not as good as I think it is.
    Reply With Quote Reply With Quote
  5. 06-15-2009 #5
    raghaven.kumar
    raghaven.kumar is offline
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    I tried killing with -9 signal
    but it respawns!!
    Reply With Quote Reply With Quote
  6. 06-17-2009 #6
    davidanand
    davidanand is offline
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    get the process id go to /proc/pid/fd
    will list you whats running on that process
    Regards
    David.s
    davidanands.co.cc
    -->Success is the list of failures ...!!!
    Reply With Quote Reply With Quote
  7. 06-18-2009 #7
    raghaven.kumar
    raghaven.kumar is offline
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209

    Post

    Quote Originally Posted by davidanand View Post
    get the process id go to /proc/pid/fd
    will list you whats running on that process
    Thanks to davidanand, i found a hidden process !
    Heres the output,
    Code:
    root@server:/proc/20165/fd# ps aux | grep postgres
root     14257  0.0  0.0   3004   772 pts/0    S+   12:45   0:00 grep postgres
postgres 20165  0.0  0.0   2216   584 ?        S    Jun12   0:02 /usr/local/apache/bin/httpd -DSSL                                                                                                                                                                                                                        ? redone
root@server:/proc/20165/fd# ls
0  1  2  3  4  5
root@server:/proc/20165/fd# ls -l
total 0
lr-x------ 1 postgres postgres 64 2009-06-18 12:45 0 -> /dev/null
l-wx------ 1 postgres postgres 64 2009-06-18 12:45 1 -> /dev/null
l-wx------ 1 postgres postgres 64 2009-06-18 12:45 2 -> /dev/null
lrwx------ 1 postgres postgres 64 2009-06-18 12:45 3 -> socket:[18700040]
l-wx------ 1 postgres postgres 64 2009-06-18 12:45 4 -> /var/lib/postgresql/redone/log/psybnc.log
l-wx------ 1 postgres postgres 64 2009-06-18 12:45 5 -> /var/lib/postgresql/redone/psybnc.pid
root@server:/proc/20165/fd#
    Also, the folder where the links are pointing shows this
    Code:
    root@server:/var/lib/postgresql/redone# ls -l
total 332
-rwxr-xr-x 1 postgres postgres    305 2004-05-06 10:25 config
-rw------- 1 postgres postgres    929 2002-05-07 03:49 config.h
-rw-r--r-- 1 postgres postgres     63 2009-05-30 17:12 cron.d
-rwxr-xr-x 1 postgres postgres    343 2004-05-08 08:24 ****
drwxr-xr-x 2 postgres postgres   4096 2002-11-09 02:03 help
-rwxr--r-- 1 postgres postgres  21516 2002-09-26 00:43 hide
-rwxr-xr-x 1 postgres postgres 202544 2002-11-09 01:59 httpd
-rwxr-xr-x 1 postgres postgres  21149 2003-09-24 11:05 kik
drwxr-xr-x 2 postgres postgres   4096 2002-11-09 02:03 lang
drwxr-xr-x 2 postgres postgres   4096 2009-06-12 12:21 log
drwxr-xr-x 2 postgres postgres   4096 2000-07-18 01:43 motd
-rwxr-xr-x 1 postgres postgres  14306 2003-11-13 19:01 proc
-rw-r--r-- 1 postgres postgres     79 2006-07-21 10:22 psybnc.conf
-rw------- 1 postgres postgres      6 2009-06-12 12:21 psybnc.pid
-rw------- 1 postgres postgres    138 2009-06-10 10:44 redone
-rw-r--r-- 1 postgres postgres     27 2009-05-30 17:12 redone.dir
-rw------- 1 postgres postgres    138 2009-06-10 10:40 redone.old
-rwxr-xr-x 1 postgres postgres     67 2004-05-08 08:29 run
drwxr-xr-x 3 postgres postgres   4096 2004-08-12 17:59 scripts
-rwxr--r-- 1 postgres postgres    218 2009-05-30 17:12 y2kupdate
root@server:/var/lib/postgresql/redone#
    As you can see above theres f**k(**** word banned in default by the forum) folder in it.
    This is truly something unsual.
    I can confirm that its hackers kit running on postgres user, right?
    Reply With Quote Reply With Quote
  8. 06-18-2009 #8
    davidanand
    davidanand is offline
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    ha ..there are many things in back ground happening ... such as
    Apache spamming
    use this might help you .

    Catching ‘Apache Spammers’

    Check your tmp ...as we as check your net stat for any auto mount etc...
    Regards
    David.s
    davidanands.co.cc
    -->Success is the list of failures ...!!!
    Reply With Quote Reply With Quote
  9. 06-18-2009 #9
    raghaven.kumar
    raghaven.kumar is offline
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    Oh!!
    I couldnt find folders in tmp with a mail id
    Shall i remove the redone in the postgres folder?
    But first, how would i stop the process??

    After, reading the config i got that the kit is running a psyBNC, a IRC bouncer??
    Last edited by raghaven.kumar; 06-18-2009 at 10:50 AM. Reason: psybnc
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules