Find the answer to your Linux question:
Results 1 to 9 of 9
Hi, I have this when i do a netstat -tulpn Code: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 17565/apache2 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 17565/apache2 tcp 0 0 0.0.0.0:2200 0.0.0.0:* ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209

    A unknown httpd process ??


    Hi,
    I have this when i do a netstat -tulpn
    Code:
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      17565/apache2
    tcp        0      0 0.0.0.0:443              0.0.0.0:*               LISTEN      17565/apache2
    tcp        0      0 0.0.0.0:2200            0.0.0.0:*               LISTEN      17628/httpd -DSSL
    and ps 17628 gives
    Code:
      PID TTY      STAT   TIME COMMAND
    17628 ?        S      0:00 /usr/local/apache/bin/httpd -DSSL
    but in /usr/local
    Code:
    root@server:/usr/local# ls
    bin  etc  games  include  lib  man  sbin  share  src  usermin-1.370  usermin-1.400
    as you can see theres no apache folder in this
    but this httpd -DSSL runs alongside apache2.
    Is it a anonymous process??

    PS: I am using Ubuntu 8.04 server and Apache/2.2.8 (Ubuntu)

  2. #2
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    Update: I found that DSSL process is running from the postgres user
    Could it be a hackers doing?
    Code:
    root      2037  0.0  0.0   3004   764 pts/0    S+   16:04   0:00 grep postgres
    postgres 20165  0.0  0.0   2216   584 ?        S    12:21   0:00 /usr/local/apache/bin/httpd -DSSL
                                                                              ? redone
    Also why the "?redone" shows in the ps aux | grep postgres .


  3. #3
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    BUMP
    Does no one have any idea of it ??

  4. #4
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,569
    Have you tried killing the process and seeing what stops working...

    ... the blunt axe approach to troubleshooting
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    The Fifth Continent

  5. #5
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    I tried killing with -9 signal
    but it respawns!!

  6. #6
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    get the process id go to /proc/pid/fd
    will list you whats running on that process
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  7. #7
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209

    Post

    Quote Originally Posted by davidanand View Post
    get the process id go to /proc/pid/fd
    will list you whats running on that process
    Thanks to davidanand, i found a hidden process !
    Heres the output,
    Code:
    root@server:/proc/20165/fd# ps aux | grep postgres
    root     14257  0.0  0.0   3004   772 pts/0    S+   12:45   0:00 grep postgres
    postgres 20165  0.0  0.0   2216   584 ?        S    Jun12   0:02 /usr/local/apache/bin/httpd -DSSL                                                                                                                                                                                                                        ? redone
    root@server:/proc/20165/fd# ls
    0  1  2  3  4  5
    root@server:/proc/20165/fd# ls -l
    total 0
    lr-x------ 1 postgres postgres 64 2009-06-18 12:45 0 -> /dev/null
    l-wx------ 1 postgres postgres 64 2009-06-18 12:45 1 -> /dev/null
    l-wx------ 1 postgres postgres 64 2009-06-18 12:45 2 -> /dev/null
    lrwx------ 1 postgres postgres 64 2009-06-18 12:45 3 -> socket:[18700040]
    l-wx------ 1 postgres postgres 64 2009-06-18 12:45 4 -> /var/lib/postgresql/redone/log/psybnc.log
    l-wx------ 1 postgres postgres 64 2009-06-18 12:45 5 -> /var/lib/postgresql/redone/psybnc.pid
    root@server:/proc/20165/fd#
    Also, the folder where the links are pointing shows this
    Code:
    root@server:/var/lib/postgresql/redone# ls -l
    total 332
    -rwxr-xr-x 1 postgres postgres    305 2004-05-06 10:25 config
    -rw------- 1 postgres postgres    929 2002-05-07 03:49 config.h
    -rw-r--r-- 1 postgres postgres     63 2009-05-30 17:12 cron.d
    -rwxr-xr-x 1 postgres postgres    343 2004-05-08 08:24 ****
    drwxr-xr-x 2 postgres postgres   4096 2002-11-09 02:03 help
    -rwxr--r-- 1 postgres postgres  21516 2002-09-26 00:43 hide
    -rwxr-xr-x 1 postgres postgres 202544 2002-11-09 01:59 httpd
    -rwxr-xr-x 1 postgres postgres  21149 2003-09-24 11:05 kik
    drwxr-xr-x 2 postgres postgres   4096 2002-11-09 02:03 lang
    drwxr-xr-x 2 postgres postgres   4096 2009-06-12 12:21 log
    drwxr-xr-x 2 postgres postgres   4096 2000-07-18 01:43 motd
    -rwxr-xr-x 1 postgres postgres  14306 2003-11-13 19:01 proc
    -rw-r--r-- 1 postgres postgres     79 2006-07-21 10:22 psybnc.conf
    -rw------- 1 postgres postgres      6 2009-06-12 12:21 psybnc.pid
    -rw------- 1 postgres postgres    138 2009-06-10 10:44 redone
    -rw-r--r-- 1 postgres postgres     27 2009-05-30 17:12 redone.dir
    -rw------- 1 postgres postgres    138 2009-06-10 10:40 redone.old
    -rwxr-xr-x 1 postgres postgres     67 2004-05-08 08:29 run
    drwxr-xr-x 3 postgres postgres   4096 2004-08-12 17:59 scripts
    -rwxr--r-- 1 postgres postgres    218 2009-05-30 17:12 y2kupdate
    root@server:/var/lib/postgresql/redone#
    As you can see above theres f**k(**** word banned in default by the forum) folder in it.
    This is truly something unsual.
    I can confirm that its hackers kit running on postgres user, right?

  8. #8
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    ha ..there are many things in back ground happening ... such as
    Apache spamming
    use this might help you .

    Catching ‘Apache Spammers’

    Check your tmp ...as we as check your net stat for any auto mount etc...
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  9. #9
    Linux Newbie raghaven.kumar's Avatar
    Join Date
    Mar 2008
    Location
    Bangalore, India
    Posts
    209
    Oh!!
    I couldnt find folders in tmp with a mail id
    Shall i remove the redone in the postgres folder?
    But first, how would i stop the process??

    After, reading the config i got that the kit is running a psyBNC, a IRC bouncer??
    Last edited by raghaven.kumar; 06-18-2009 at 09:50 AM. Reason: psybnc

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •