2
I've got a process running on my server (CentOS 5.2) that is taking up 99-100% of my CPU. The ps command reveals the name fakeproc as follows:
30571 ? R 3620:06 fakeproc
Running top shows me that it's a perl script that is associated with this process:
30571 apache 25 0 6292 3044 1288 R 100 0.1 3621:44 perl
I tried to investigate, but didn't get much info on the location of the perl script:
$ ps -p 30571 -o command
COMMAND
fakeproc
I'm pretty sure I've got some malware (a perl script of some kind) that is creating this fakeproc, but I have no idea how to locate it or how to remove it.
Any ideas?
Yes, I've seen those sites. My problem is in trying to find where the perl script is actually located. I killed the process already, so that's no longer there to help. – ChiCgi – 2013-02-11T20:36:18.327
I assume you have tried searching for it. It might have left a trace somewhere, try
grep -r /var/log
. – terdon – 2013-02-11T22:01:09.683I ended up searching through all my public files for the string fakeproc, thinking that would certainly show up somewhere in the script (
grep -r 'fakeproc'
). Sure enough, it did.Perhaps the filenames will be useful to someone else--mine were named nakal.txt and nakal.txt.1.
Some more digging led me to believe this was all done through the TimThumb exploit of WordPress on a site hosted on the server. – ChiCgi – 2013-02-11T23:04:20.320