ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Strange network connection

https://mail.forum.configserver.com/viewtopic.php?t=7173

Page 1 of 1

Strange network connection

Posted: 13 Nov 2013, 22:19
by Justin Valceanu
Hello ppl I have a problem - I think :)

I manage a cloudlinux server with csf ... one of the emails I receive from ldf demon is the fallowing:

Code: Select all

Time:    Wed Nov 13 21:20:26 2013 +0100
PID:     28321 (Parent PID:28321)
Account: nobody
Uptime:  99 seconds


Executable:

/usr/local/bin/perl


Command Line (often faked in exploits):

syslogd -m 


Network connections by the process (if any):

tcp: MYIPADDR:40663 -> 85.132.14.250:4444


Files open by the process (if any):

/dev/null
/usr/local/apache/logs/error_log


Memory maps by the process (if any):

00400000-00403000 r-xp 00000000 09:02 51642408                           /usr/local/bin/perl
00602000-00603000 rw-p 00002000 09:02 51642408                           /usr/local/bin/perl
0218c000-0243c000 rw-p 00000000 00:00 0                                  [heap]
7ff0ef27e000-7ff0ef28a000 r-xp 00000000 09:02 4194439                    /lib64/libnss_files-2.12 .so
7ff0ef28a000-7ff0ef48a000 ---p 0000c000 09:02 4194439                    /lib64/libnss_files-2.12 .so
7ff0ef48a000-7ff0ef48b000 r--p 0000c000 09:02 4194439                    /lib64/libnss_files-2.12 .so
7ff0ef48b000-7ff0ef48c000 rw-p 0000d000 09:02 4194439                    /lib64/libnss_files-2.12 .so
7ff0ef48c000-7ff0ef495000 r-xp 00000000 09:02 51512843                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/List/Util/Util .so
7ff0ef495000-7ff0ef694000 ---p 00009000 09:02 51512843                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/List/Util/Util .so
7ff0ef694000-7ff0ef695000 rw-p 00008000 09:02 51512843                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/List/Util/Util .so
7ff0ef695000-7ff0ef69c000 r-xp 00000000 09:02 51513154                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/Socket/Socket .so
7ff0ef69c000-7ff0ef89b000 ---p 00007000 09:02 51513154                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/Socket/Socket .so
7ff0ef89b000-7ff0ef89d000 rw-p 00006000 09:02 51513154                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/Socket/Socket .so
7ff0ef89d000-7ff0ef8a1000 r-xp 00000000 09:02 51512837                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/IO/IO .so
7ff0ef8a1000-7ff0efaa0000 ---p 00004000 09:02 51512837                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/IO/IO .so
7ff0efaa0000-7ff0efaa1000 rw-p 00003000 09:02 51512837                   /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/IO/IO .so
7ff0efaa1000-7ff0efb07000 r-xp 00000000 09:02 4194438                    /lib64/libfreebl3 .so
7ff0efb07000-7ff0efd07000 ---p 00066000 09:02 4194438                    /lib64/libfreebl3 .so
7ff0efd07000-7ff0efd08000 r--p 00066000 09:02 4194438                    /lib64/libfreebl3 .so
7ff0efd08000-7ff0efd09000 rw-p 00067000 09:02 4194438                    /lib64/libfreebl3 .so
7ff0efd09000-7ff0efd0d000 rw-p 00000000 00:00 0 
7ff0efd0d000-7ff0efe04000 r-xp 00000000 09:02 51513164                   /usr/local/lib/perl5/5.8.8/x86_64-linux/CORE/libperl .so
7ff0efe04000-7ff0f0004000 ---p 000f7000 09:02 51513164                   /usr/local/lib/perl5/5.8.8/x86_64-linux/CORE/libperl .so
7ff0f0004000-7ff0f000c000 rw-p 000f7000 09:02 51513164                   /usr/local/lib/perl5/5.8.8/x86_64-linux/CORE/libperl .so
7ff0f000c000-7ff0f0010000 rw-p 00000000 00:00 0 
7ff0f0010000-7ff0f019a000 r-xp 00000000 09:02 4194369                    /lib64/libc-2.12 .so
7ff0f019a000-7ff0f0399000 ---p 0018a000 09:02 4194369                    /lib64/libc-2.12 .so
7ff0f0399000-7ff0f039d000 r--p 00189000 09:02 4194369                    /lib64/libc-2.12 .so
7ff0f039d000-7ff0f039e000 rw-p 0018d000 09:02 4194369                    /lib64/libc-2.12 .so
7ff0f039e000-7ff0f03a3000 rw-p 00000000 00:00 0 
7ff0f03a3000-7ff0f03a5000 r-xp 00000000 09:02 4194483                    /lib64/libutil-2.12 .so
7ff0f03a5000-7ff0f05a4000 ---p 00002000 09:02 4194483                    /lib64/libutil-2.12 .so
7ff0f05a4000-7ff0f05a5000 r--p 00001000 09:02 4194483                    /lib64/libutil-2.12 .so
7ff0f05a5000-7ff0f05a6000 rw-p 00002000 09:02 4194483                    /lib64/libutil-2.12 .so
7ff0f05a6000-7ff0f05ad000 r-xp 00000000 09:02 4194387                    /lib64/libcrypt-2.12 .so
7ff0f05ad000-7ff0f07ad000 ---p 00007000 09:02 4194387                    /lib64/libcrypt-2.12 .so
7ff0f07ad000-7ff0f07ae000 r--p 00007000 09:02 4194387                    /lib64/libcrypt-2.12 .so
7ff0f07ae000-7ff0f07af000 rw-p 00008000 09:02 4194387                    /lib64/libcrypt-2.12 .so
7ff0f07af000-7ff0f07dd000 rw-p 00000000 00:00 0 
7ff0f07dd000-7ff0f0860000 r-xp 00000000 09:02 4194412                    /lib64/libm-2.12 .so
7ff0f0860000-7ff0f0a5f000 ---p 00083000 09:02 4194412                    /lib64/libm-2.12 .so
7ff0f0a5f000-7ff0f0a60000 r--p 00082000 09:02 4194412                    /lib64/libm-2.12 .so
7ff0f0a60000-7ff0f0a61000 rw-p 00083000 09:02 4194412                    /lib64/libm-2.12 .so
7ff0f0a61000-7ff0f0a63000 r-xp 00000000 09:02 4194400                    /lib64/libdl-2.12 .so
7ff0f0a63000-7ff0f0c63000 ---p 00002000 09:02 4194400                    /lib64/libdl-2.12 .so
7ff0f0c63000-7ff0f0c64000 r--p 00002000 09:02 4194400                    /lib64/libdl-2.12 .so
7ff0f0c64000-7ff0f0c65000 rw-p 00003000 09:02 4194400                    /lib64/libdl-2.12 .so
7ff0f0c65000-7ff0f0c7b000 r-xp 00000000 09:02 4194421                    /lib64/libnsl-2.12 .so
7ff0f0c7b000-7ff0f0e7a000 ---p 00016000 09:02 4194421                    /lib64/libnsl-2.12 .so
7ff0f0e7a000-7ff0f0e7b000 r--p 00015000 09:02 4194421                    /lib64/libnsl-2.12 .so
7ff0f0e7b000-7ff0f0e7c000 rw-p 00016000 09:02 4194421                    /lib64/libnsl-2.12 .so
7ff0f0e7c000-7ff0f0e7e000 rw-p 00000000 00:00 0 
7ff0f0e7e000-7ff0f0e94000 r-xp 00000000 09:02 4194473                    /lib64/libresolv-2.12 .so
7ff0f0e94000-7ff0f1094000 ---p 00016000 09:02 4194473                    /lib64/libresolv-2.12 .so
7ff0f1094000-7ff0f1095000 r--p 00016000 09:02 4194473                    /lib64/libresolv-2.12 .so
7ff0f1095000-7ff0f1096000 rw-p 00017000 09:02 4194473                    /lib64/libresolv-2.12 .so
7ff0f1096000-7ff0f1098000 rw-p 00000000 00:00 0 
7ff0f1098000-7ff0f10b8000 r-xp 00000000 09:02 4194313                    /lib64/ld-2.12 .so
7ff0f12a6000-7ff0f12ac000 rw-p 00000000 00:00 0 
7ff0f12b4000-7ff0f12b6000 rw-p 00000000 00:00 0 
7ff0f12b6000-7ff0f12b7000 rw-p 00000000 00:00 0 
7ff0f12b7000-7ff0f12b8000 r--p 0001f000 09:02 4194313                    /lib64/ld-2.12 .so
7ff0f12b8000-7ff0f12b9000 rw-p 00020000 09:02 4194313                    /lib64/ld-2.12 .so
7ff0f12b9000-7ff0f12ba000 rw-p 00000000 00:00 0 
7fffb2345000-7fffb235a000 rw-p 00000000 00:00 0                          [stack]
7fffb23de000-7fffb23e0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Code: Select all

root@ds1 [/tmp]#  netstat -an | grep 4444
tcp        0      1 MYIPADDR:41472          85.132.14.250:4444          SYN_SENT

root@ds1 [/tmp]# ss | grep "85.132.14.250"
SYN-SENT   0      1            MYIPADDR:41479        85.132.14.250:krb524
Find process & opened files

Code: Select all

root@ds1 [/tmp]# ss -tp | grep "85.132.14.250"
SYN-SENT   0      1            MYIPADDR:41479        85.132.14.250:krb524   users:(("perl",28321,3))

root@ds1 [/tmp]# ps aux | grep 28321
nobody     28321  0.0  0.0  33864  3868 ?        SN   21:18   0:00 syslogd -m
root       34034  0.0  0.0 103248   868 pts/0    S+   23:01   0:00 grep 28321

root@ds1 [/tmp]# ls -al /proc/28321/cwd
lrwxrwxrwx 1 nobody nobody 0 Nov 13 21:19 /proc/28321/cwd -> /

root@ds1 [/tmp]# cat /proc/28321/cmdline
syslogd -m

root@ds1 [/tmp]# lsof -p 28321
COMMAND   PID   USER   FD   TYPE   DEVICE SIZE/OFF     NODE NAME
perl    28321 nobody  cwd    DIR      9,2     4096        2 /
perl    28321 nobody  rtd    DIR      9,2     4096        2 /
perl    28321 nobody  txt    REG      9,2    17152 51642408 /usr/local/bin/perl
perl    28321 nobody  mem    REG      9,2    65928  4194439 /lib64/libnss_files-2.12  .so
perl    28321 nobody  mem    REG      9,2    43619 51512843 /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/List/Util/Util .so
perl    28321 nobody  mem    REG      9,2    38366 51513154 /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/Socket/Socket .so
perl    28321 nobody  mem    REG      9,2    20338 51512837 /usr/local/lib/perl5/5.8.8/x86_64-linux/auto/IO/IO .so
perl    28321 nobody  mem    REG      9,2   424472  4194438 /lib64/libfreebl3 .so
perl    28321 nobody  mem    REG      9,2  1143019 51513164 /usr/local/lib/perl5/5.8.8/x86_64-linux/CORE/libperl .so
perl    28321 nobody  mem    REG      9,2  1916568  4194369 /lib64/libc-2.12 .so
perl    28321 nobody  mem    REG      9,2    14584  4194483 /lib64/libutil-2.12 .so
perl    28321 nobody  mem    REG      9,2    40400  4194387 /lib64/libcrypt-2.12 .so
perl    28321 nobody  mem    REG      9,2   595688  4194412 /lib64/libm-2.12 .so
perl    28321 nobody  mem    REG      9,2    19536  4194400 /lib64/libdl-2.12 .so
perl    28321 nobody  mem    REG      9,2   113432  4194421 /lib64/libnsl-2.12 .so
perl    28321 nobody  mem    REG      9,2   110960  4194473 /lib64/libresolv-2.12 .so
perl    28321 nobody  mem    REG      9,2   154504  4194313 /lib64/ld-2.12 .so
perl    28321 nobody    0r   CHR      1,3      0t0     3868 /dev/null
perl    28321 nobody    1w  FIFO      0,8      0t0 17589292 pipe
perl    28321 nobody    2w   REG      9,2 47862731 51381153 /usr/local/apache/logs/error_log
perl    28321 nobody    3u  IPv4 17619443      0t0      TCP ds1.MYSERVER:41526->hosting.transeurocom .az:krb524 (SYN_SENT)
root@ds1 [/tmp]#
I guess that there is a remote NC connection somewhere ...

My questions are:
How to find the entry point of the attacker and stop this process permanently ?

Thank you. Any feedback is appreciated

Re: Strange network connection

Posted: 13 Nov 2013, 23:59
by Justin Valceanu
found the entry point and fixed (old wordpress blog)

Re: Strange network connection

Posted: 27 Nov 2013, 03:45
by ideascape
Justin,

I'm having the same issue on a Plesk server, hosting many wordpress sites. My original concern was that perl was taking 99.9% cpu, causing me to try and track down where it led. Its exactly as you described with the same IP & hostname. Can you provide details on how you resolved it? How did you find the "entry point" you spoke of? Any suggestions you can provide would be much appreciated.

Here are a couple excerpts just as you had: (. replaced with _)

# lsof -p 3165
perl 3165 apache 72w REG 0,39 1781386 27361407 /var/www/vhosts/example_com/statistics/logs/access_log
perl 3165 apache 73w REG 0,39 3127 27361418 /var/www/vhosts/example_com/statistics/logs/access_ssl_log
perl 3165 apache 74u IPv4 1358853372 TCP example_com:57412->hosting transeurocom_az:krb524 (ESTABLISHED)
perl 3165 apache 75r FIFO 0,6 1320476404 pipe
perl 3165 apache 76w FIFO 0,6 1320476404 pipe


# ss -tp | grep "85.132.14.250"
ESTAB 0 0 64.207.159.124:57412 85.132.14.250:krb524 users:(("perl",3165,74))
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited