Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

weird activity...

Status
Not open for further replies.
roeiboot

roeiboot

Technical User
Feb 10, 2002
241
US
i run Linux RedHat 9.0 on my web server and since 2 days there is constant activity until the point that the pc crashes or at least does not respond to any input from keyboard (screen is black), i nosed around in the current processes but can't really find anything weird.. any one any idea how to approach this issue (btw i'm currently at work and the pc is at home :}

thanks in advance..
 
Sort by date Sort by votes
What kind of activity? CPU or hard drives? Have you looked in top? Try sorting the processes by memory usage as well in case a process has a memory leak.

Annihilannic.
 
Upvote 0 Downvote
And/Or, if you have the machine hooked up to the Internet, please disconnect it since you might have been hacked.

THEN try to figure out what's right as Annihilannic suggests.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
thanks guys... yes it's connected to the internet (it's my web server) at this time i have to say it's hard disk activity since that led keeps flashing.

any utils/programs i can run to check if i'm hacked, i thought Linux wasn't that vulnerable..
 
Upvote 0 Downvote
Linux isn't that vulnerable, but webservers are vulnerable by default.

Take your web server OFF OF THE INTERNET.

Then do as Annihilannic suggests.

"That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX."
"Well, that's something," Avi says. "Normally those two are mutually exclusive."
-- Neal Stephenson, "Cryptonomicon"
 
Upvote 0 Downvote
What type of hardware is this happening on? Just curious.
 
Upvote 0 Downvote
web server OFF the internet and activity continued... i don't see any major things using 'top', when checking with the 'system monitor' huge (as in 150Mb and 300Mb) PERL processes keep popping up, ended those processes and the activity stopped.

few questions/things remain...
1. not sure if i use PERL :}
2. not sure if i need it.
3. is there a way to automatically disable it after a boot up ? if so.. how ?

once again thanks guys.
 
Upvote 0 Downvote
If you had processes running massive amounts of scripts that you didn't know about, I'd be inclined to guess you were hacked and the scripts were processing spam or something...

Only other thing that grinds that hard from a default setup that I can think of would be 1) software RAID (not a perl script), 2) tripwire building its database.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Try top -c instead to see the whole command line for the perl processes, or try and capture ps www -ef output when they are running to figure out what their parent processes are, what PERL scripts they are running, etc.

Annihilannic.
 
Upvote 0 Downvote
i'll have to check that later.. i only run a few small scripts and they have been running for years so i'm probably looking at a hack, damned :}
 
Upvote 0 Downvote
i see Perl in the system monitor but not anything abnormal (in my opinion) in top -c nor ps www -ef.. i thought the problem solved itself but slowly but surely (looking in system monitor) the usage of memory used by Perl has climbed to 163Mb...

is there any other way to go about it ? maybe disable Perl for the time being ?
 
Upvote 0 Downvote
You might want to compile on a non-compromised machine 'chkrootkit' with the static option set. Then push that binary onto your Webserver to run there. It will find most rootkits installed on a Linux host.

If you don't have another Linux box around to compile on, boot with KNOPPIX on your Windows desktop and build and compile there, then scp it to your webserver. You can ssh into the webserver and run it from there.

You don't want to compile the binary on a machine that may have been compromised.


pansophic
 
Upvote 0 Downvote
Or you could try one of the live security distros such as helix or auditor. the later being one I have used many times.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

youradds
  • Locked
  • Question
Weird issue with ps aux runtimes?
Replies
6
Views
91
youradds
youradds
youradds
  • Locked
  • Question
ImageMagick giving weird error
Replies
0
Views
41
youradds
youradds
Annihilannic
  • Locked
  • Helpful tip
Weird characters in sysout/syserr
Replies
0
Views
38
Annihilannic
Annihilannic
ejaggers
  • Locked
  • Question
Weird characters in sysout/syserr 1
2
Replies
26
Views
127
Annihilannic
Annihilannic
Zotigo
  • Locked
  • Question
Minicom giving weird characters on Debian
Replies
2
Views
73
itsp1965
itsp1965

Part and Inventory Search

Sponsor

Back
Top