3

Following is the output of the "top" command. I have clipped the result. Here, I want to know the detail of the process called httpd.pl. 

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
    23546 user 20   0 55596 5428  808 S  0.7  0.1   0:01.52 httpd.pl

This looks suspicious for me, because when I do lsof -p 5182, it shows following output, showing that the process is opening port 39331:

COMMAND   PID     USER   FD   TYPE    DEVICE SIZE/OFF    NODE NAME
httpd.pl 5182 user   3u  IPv4 168936033      0t0     TCP *:39331 (LISTEN)

I have used few commands to find out from where it is running, but I was unable to find. I have used following commands so far:

#ls -l /proc/PID/cwd
#cat /proc/PID/environ | tr '\0' '\n'
#ps -p PID -o command

However, none of them shows the exact location. It shows / as cwd but there is no such file called httpd.pl there. Also a friend of mine told me that httpd.pl may be a fake name, because it is trivial to change a process name:

-bash-4.1# cat testing.pl
#!/usr/bin/perl
print `ps $$`;
$0="my_name_is_httpd.pl .. honest";
print `ps $$`;
-bash-4.1#

-bash-4.1# ./testing.pl
  PID TTY      STAT   TIME COMMAND
 6762 pts/0    S+     0:00 /usr/bin/perl ./testing.pl
  PID TTY      STAT   TIME COMMAND
 6762 pts/0    S+     0:00 my_name_is_httpd.pl .. honest
-bash-4.1#
kalina
  • 3,354
  • 5
  • 20
  • 36
Prakash
  • 332
  • 2
  • 14
  • I would look into trying strace on it. – karmet Dec 19 '14 at 10:58
  • The ouput of stace is following: gettimeofday({1419142411, 148085}, NULL) = 0 select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(8, [3], NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout) – Prakash Dec 21 '14 at 06:15
  • I'm always looking at `/proc/pid/fd` to see what files it uses. Another idea is to use `ltrace`, very similar to `strace`. – ott-- Nov 18 '15 at 21:55

2 Answers2

3

Things to look at:

/proc/PID/exe may be a symbolic link to the program binary, or it may be a broken link (eg. if the program binary was deleted, or if it's a kernel process).

/proc/PID/cmdline should be the command line used to start the program.

/proc/PID/maps may contain interesting information, since programs and their libraries are usually loaded by memory-mapping the disk files involved.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • Thanks for the response. The first command /proc/PID/exe results blank (nothing at all). Other two command shows bash: /proc/PID/maps: Permission denied – Prakash Dec 21 '14 at 06:08
1

Sorry for resurecting an old thread but this is the first one that comes up for this file. and it is worth knowing if anyone comes across it.

The httpd.pl is a spoofed process that is running perl.

it is usually a backdoor that is set up by a php shell that will be loaded into a website somewhere. We found the same thing. The phpshell gets loaded in via an exploit usually. Ours came in via a vulnerability in Joomla. The attacker uploaded a php file that downloaded the php shell and then ran the shell to install a backdoor. this shell can probably be connected to through the port address you find in lsof -p (IP address:port) and it can be used to dump outputs of the shell / some other things.

To fix this we hardened php by editing php.ini and adding to the disable_functions section (there are plenty of guides on how to do this and what to disable).

Next we ran a clamAV scan and a maldet scan which revealed a couple of suspicious files.

Finally we cleaned up one more suspect one we found in the /username/tmp directory.

Hope this helps.

Dale
  • 11
  • 2
  • Yes this was the issue. One account was hacked under cpanel and was running this script. I was able to finally track the abusive account and removed all php scripts and kill this user process. – Prakash Apr 05 '16 at 08:08