1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

strange program running

Discussion in 'Site & Server Administration' started by nevetS, Apr 3, 2005.

  1. #1
    I've seen this program running twice now after running "ps -ef"

    ./rs.zip

    It's running as my webserver user, and the file rs.zip does not seem to exist anywhere. Is there a way of telling the directory that it's running in? Or another way to find more information out?
    SEMrush
    I can't seem to find anything on the web.
     
    nevetS, Apr 3, 2005 IP
    SEMrush
  2. crazyhorse

    crazyhorse Peon

    Messages:
    1,137
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #2
    crazyhorse, Apr 3, 2005 IP
  3. sarahk

    sarahk iTamer Staff

    Messages:
    25,354
    Likes Received:
    3,487
    Best Answers:
    101
    Trophy Points:
    665
    #3
    sarahk, Apr 3, 2005 IP
  4. nevetS

    nevetS Evolving Dragon

    Messages:
    2,544
    Likes Received:
    211
    Best Answers:
    0
    Trophy Points:
    135
    #4
    thanks sarah! so far, I've found nothing, but I have seen backdoors like that before. That's why I don't use redhat anymore :D (nothing against RH, but I couldn't upgrade to 9 because of some software requirements and they no longer produce patches for the version I used to run)
     
    nevetS, Apr 3, 2005 IP
  5. ziandra

    ziandra Well-Known Member

    Messages:
    142
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    138
    #5
    find / -name rs.zip -print

    should find it if it is in your file system. If you don't find it that way, it is likely that you got hacked. I have had a few systems hacked and they put all sorts of little goodies in hidden directories.
     
    ziandra, Apr 3, 2005 IP
  6. nevetS

    nevetS Evolving Dragon

    Messages:
    2,544
    Likes Received:
    211
    Best Answers:
    0
    Trophy Points:
    135
    #6
    I tried that. Last time I had a situation like that, I found an apache install hidden in the /dev directory. This time, I can't find a thing.

    I killed the process, and I haven't been seen it running since.

    I'm wondering if it was a leftover from my movable type 3.14 problem. I caught someone spamming from my machine, destroyed the cgi's from that install, and haven't seen anything since. The date on the rs.zip process was from before I cleaned the MvType issue. I'll post again if I see it again. I just checked and everything was clean. (hopefully they haven't taken steps to hide it, but I've been on the server constantly, so I would have noticed if they recompiled the kernel. I learned from last time too... No sources on the server that aren't absolutely necessary, and I uninstall gcc and install it only when I need it - that way, nothing can compile on the server unless they find a way to install gcc. It's not fool proof, but it slows things down a lot and since I actually do watch the server regularly, and have mrtg graphs for cpu utilization, etc. I feel pretty comfortable. No spikes in bandwidth or cpu utilization or mail since I killed this process.
     
    nevetS, Apr 3, 2005 IP
  7. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Sometimes you can tell what the file does by checking the kind of text it has inside. Locate the file on the hard drive and run this command:

    strings rs.zip

    J.D.
     
    J.D., Apr 3, 2005 IP
  8. nevetS

    nevetS Evolving Dragon

    Messages:
    2,544
    Likes Received:
    211
    Best Answers:
    0
    Trophy Points:
    135
    #8
    find doesn't find anything for me. thanks for the tip on strings though - I didn't know about that one.
     
    nevetS, Apr 4, 2005 IP
  9. ziandra

    ziandra Well-Known Member

    Messages:
    142
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    138
    #9
    Do you have "lsof" on your system? If not, you can get the source from ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ and build it yourself.

    An introduction can be found at http://www.akadia.com/services/lsof_intro.html

    The output is not for the faint of heart but it should show you the full path of the file next time you see it run, as well as any files or network connections the program is using. Also, if it is a worm, knowing where it is connecting might help you track it back to its source.
     
    ziandra, Apr 4, 2005 IP
    nevetS likes this.
  10. nevetS

    nevetS Evolving Dragon

    Messages:
    2,544
    Likes Received:
    211
    Best Answers:
    0
    Trophy Points:
    135
    #10
    thanks ziandra! Exactly what I needed!
     
    nevetS, Apr 4, 2005 IP