0

I think I have a system compromise, with sudden perl process starting at the background with the same user as apache (daemon). I found today ZMUIE, which was script to do some sort of bruteforce attack. Anyway this is what I have now (any ideas?):

this is my top output

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                     
16603 root      20   0  2496 1080  804 R 12.8  0.0   0:00.23 top                                         
11474 daemon    20   0 80568  57m  35m R  7.9  1.7   0:08.58 httpd                                       
14716 daemon    20   0  6364 2924 1328 S  5.0  0.1   1:04.41 perl

I have concerns about the process with PID 14716:

ps -aufx gives me this:

daemon   14716 21.4  0.0   6364  2924 ?        S    21:51   0:46 /usr/sbin/ap

at the same time:

[root@saritasa chkrootkit-0.49]# ls -l /usr/sbin/ap
ls: cannot access /usr/sbin/ap: No such file or directory
[root@saritasa chkrootkit-0.49]# ls -l /proc/14716/exe
lrwxrwxrwx 1 daemon daemon 0 2013-11-05 21:52 /proc/14716/exe -> /usr/bin/perl
[root@saritasa chkrootkit-0.49]# ls -l /proc/14716/cwd
lrwxrwxrwx 1 daemon daemon 0 2013-11-05 21:52 /proc/14716/cwd -> /
[root@saritasa chkrootkit-0.49]# cat /proc/14716/cmdline 
/usr/sbin/ap

lsof:

[root@saritasa chkrootkit-0.49]# lsof -p 14716
COMMAND   PID   USER   FD   TYPE  DEVICE     SIZE    NODE NAME
perl    14716 daemon  cwd    DIR   253,0     4096       2 /
perl    14716 daemon  rtd    DIR   253,0     4096       2 /
perl    14716 daemon  txt    REG   253,0     8128 3753892 /usr/bin/perl
perl    14716 daemon  mem    REG   253,0    22284  721480 /usr/lib/perl5/5.10.0/i386-           linux-thread-multi/auto/IO/IO.so
perl    14716 daemon  mem    REG   253,0    24260 4039105 /usr/lib/perl5/5.10.0/i386-linux-thread-multi/auto/Socket/Socket.so
perl    14716 daemon  mem    REG   253,0    84804   18333 /lib/libresolv-2.8.so
perl    14716 daemon  mem    REG   253,0    15060   18340 /lib/libutil-2.8.so
perl    14716 daemon  mem    REG   253,0   137348   17865 /lib/ld-2.8.so
perl    14716 daemon  mem    REG   253,0  1758448   18259 /lib/libc-2.8.so
perl    14716 daemon  mem    REG   253,0   210212   18278 /lib/libm-2.8.so
perl    14716 daemon  mem    REG   253,0    20460   18266 /lib/libdl-2.8.so
perl    14716 daemon  mem    REG   253,0   131332   18331 /lib/libpthread-2.8.so
perl    14716 daemon  mem    REG   253,0  2549860  721535 /usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so
perl    14716 daemon  mem    REG   253,0   113600   18310 /lib/libnsl-2.8.so
perl    14716 daemon  mem    REG   253,0    49368   18262 /lib/libcrypt-2.8.so
perl    14716 daemon    0r  FIFO     0,6          1169171 pipe
perl    14716 daemon    1w  FIFO     0,6          1169180 pipe
perl    14716 daemon    2w  FIFO     0,6          1169173 pipe
perl    14716 daemon    3r   REG   253,0 22465197  542969 /usr/local/php532/bin/php-cgi
perl    14716 daemon    4u  IPv4 1347582              TCP linux1.domain.com:53815-    >146.185.162.85:opsession-clnt (SYN_SENT)
perl    14716 daemon  201r  FIFO     0,6           909408 pipe
perl    14716 daemon  202w  FIFO     0,6           909408 pipe
perl    14716 daemon  203r  FIFO     0,6           909409 pipe
perl    14716 daemon  204w  FIFO     0,6           909409 pipe
perl    14716 daemon  211r  FIFO     0,6          1169173 pipe
HopelessN00b
  • 54,273
DmitrySemenov
  • 875
  • 2
  • 16
  • 29

0 Answers0