what www perl script is running?
Colin Brace
cb at lim.nl
Tue Aug 25 10:04:36 UTC 2009
Mike Bristow wrote:
>
> On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
>> Ok, here is what lsof tells me:
>>
>> $ sudo lsof | grep perl
>> perl5.8.9 4272 www 3u IPv4 0xc33cf000 0t0 TCP
>> gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
>>
>> The last line would be appear to telling me something, but what?
>
> The script is talking to 94.102.51.57 on port 7000.
>
> Other useful things:
>
> ps ajxwwww
> will tell you the parent process of the script: this looks like
> it may be a (fast?)CGI script; if so then the parent would be the
> web server.
>
> It may also show the name of the script (but beware: the script
> can change that) which would be usefull to know.
>
>> After 24 hour since rebooting, this perl instance is still crunching
>> away...
>
> Is it the same instance of the script, or a new copy each time?
> That is, does the PID change? If so, that points to a CGI; if not it
> points to a fastCGI - or something else.
>
I have disabled both CGI and fastCGI in lighttpd.conf, restart the
webserver, but the script keeps popping up.
Now I notice something interesting:
$ ps aux | grep www
www 116 100.0 0.7 5864 3588 ?? R 11:53AM 8:10.33
/usr/bin/web/httpd (perl5.8.9)
www 113 0.0 0.0 0 0 ?? Z 11:53AM 0:00.18 <defunct>
This file doesn't exist on my system.
Am I correct in assuming that my system has been hacked and I am running an
IRC server or something?
Thanks.
-----
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25131646.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
More information about the freebsd-questions
mailing list