Suspicious Process httpd.pl

team_dale

• April 01, 2015 14:25

Hi Guys We've had problems with a website that migrated to our server. It was sending spam for a while, we cleaned it up and all seems good. It was defaced yesterday with an upload to two folders and he index.php file modified. Backups were restored and its all fine now. However i am now noticing that the account is constantly running a process httpd.pl which only runs for a couple of minutes, before the PID changes (which makes it hard to track down what is running it) Top doesn't show a path when i hit c - just changes the process from "httpd.pl" to "httpd" obviously there is no file in the account with that name. if i trace the process, its putting out a whole bunch of
select(0, NULL, NULL, NULL, {0, 1199}) = 0 (Timeout) select(8, [3], NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(8, [3], NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(8, [3], NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
lsof -p PID is showing:
httpd.pl 7399 mashupco cwd DIR 253,0 4096 2 / httpd.pl 7399 mashupco rtd DIR 253,0 4096 2 / httpd.pl 7399 mashupco txt REG 253,0 13304 1975561 /usr/bin/perl httpd.pl 7399 mashupco mem REG 253,0 43392 1835534 /lib64/libcrypt-2.12.so httpd.pl 7399 mashupco mem REG 253,0 12776 1835519 /lib64/libfreebl3.so httpd.pl 7399 mashupco mem REG 253,0 1488544 2229798 /usr/lib64/perl5/CORE/libperl.so httpd.pl 7399 mashupco mem REG 253,0 157032 1835020 /lib64/ld-2.12.so httpd.pl 7399 mashupco mem REG 253,0 1926760 1835038 /lib64/libc-2.12.so httpd.pl 7399 mashupco mem REG 253,0 145896 1835041 /lib64/libpthread-2.12.so httpd.pl 7399 mashupco mem REG 253,0 22536 1835120 /lib64/libdl-2.12.so httpd.pl 7399 mashupco mem REG 253,0 599392 1835141 /lib64/libm-2.12.so httpd.pl 7399 mashupco mem REG 253,0 113952 1835553 /lib64/libresolv-2.12.so httpd.pl 7399 mashupco mem REG 253,0 17520 1835094 /lib64/libutil-2.12.so httpd.pl 7399 mashupco mem REG 253,0 116368 1835479 /lib64/libnsl-2.12.so httpd.pl 7399 mashupco mem REG 253,0 21056 2231668 /usr/lib64/perl5/auto/File/Glob/Glob.so httpd.pl 7399 mashupco mem REG 253,0 120008 2231705 /usr/lib64/perl5/auto/POSIX/POSIX.so httpd.pl 7399 mashupco mem REG 253,0 17976 2231666 /usr/lib64/perl5/auto/Fcntl/Fcntl.so httpd.pl 7399 mashupco mem REG 253,0 25624 2231886 /usr/lib64/perl5/auto/Socket/Socket.so httpd.pl 7399 mashupco mem REG 253,0 19336 2231686 /usr/lib64/perl5/auto/IO/IO.so httpd.pl 7399 mashupco 0r CHR 1,3 0t0 3920 /dev/null httpd.pl 7399 mashupco 1w CHR 1,3 0t0 3920 /dev/null httpd.pl 7399 mashupco 2w CHR 1,3 0t0 3920 /dev/null httpd.pl 7399 mashupco 3u IPv4 193502832 0t0 TCP *:39331 (LISTEN)
with the concerning thing that it is listening on port 39331 Anyone ever seen something like this? Anyone know how i can find that file?

• 

  24x7ss

  • April 03, 2015 11:32

  Without checking processes it is very hard to tell from where this process gets generated but I will suggest you to install rkhunter and chrkrootkit on the server and try to scan complete server. Also to check the process try install htop it will show complete process path.

  0
• 

  team_dale

  • April 07, 2015 00:16

  For anyone that was interested. This was a backdoor installed by a php shell. the cleanup just didn't catch it on the first round. The files were removed, and php.ini was updated to remove a couple more functions that we weren't using that the infection was. Joomla was updated, all systems clear now.

  0
• 

  cPanelMichael

  • April 09, 2015 15:39

  Hello, I am happy to see the issue is now resolved. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.