2
I've got a process running on my server (CentOS 5.2) that is taking up 99-100% of my CPU. The ps command reveals the name fakeproc as follows:
30571 ? R 3620:06 fakeproc
Running top shows me that it's a perl script that is associated with this process:
30571 apache 25 0 6292 3044 1288 R 100 0.1 3621:44 perl
I tried to investigate, but didn't get much info on the location of the perl script:
$ ps -p 30571 -o command
COMMAND
fakeproc
I'm pretty sure I've got some malware (a perl script of some kind) that is creating this fakeproc, but I have no idea how to locate it or how to remove it.
Any ideas?
ChiCgi
Posted 2013-02-11T16:09:49.793
Reputation: 121
Yes, I've seen those sites. My problem is in trying to find where the perl script is actually located. I killed the process already, so that's no longer there to help. – ChiCgi – 2013-02-11T20:36:18.327
I assume you have tried searching for it. It might have left a trace somewhere, try
grep -r /var/log. – terdon – 2013-02-11T22:01:09.683I ended up searching through all my public files for the string fakeproc, thinking that would certainly show up somewhere in the script (
grep -r 'fakeproc'). Sure enough, it did.Perhaps the filenames will be useful to someone else--mine were named nakal.txt and nakal.txt.1.
Some more digging led me to believe this was all done through the TimThumb exploit of WordPress on a site hosted on the server. – ChiCgi – 2013-02-11T23:04:20.320