Webserver compromised, strange processes running












0















So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND

15913 www-data  20   0 23268  920  696 R   7.0  0.1 525:25.24 -

10960 www-data  20   0 23268 2272  748 R   6.7  0.2   6137:34 -

10963 www-data  20   0 23268 2224  736 R   6.7  0.2 116:30.51 -

10972 www-data  20   0 23268 2368  736 R   6.7  0.2 116:16.23 -

10975 www-data  20   0 23268 2312  736 R   6.7  0.2 116:16.52 -

13509 www-data  20   0 10416  188  168 R   6.7  0.0   1242:09 64

15916 www-data  20   0 23268 2344  744 R   6.7  0.2 116:21.48 -

15925 www-data  20   0 23268 2336  744 R   6.7  0.2 116:21.37 -

15928 www-data  20   0 23268 2264  744 R   6.7  0.2 116:21.44 -

17906 www-data  20   0 23268 2276  748 R   6.7  0.2 115:09.06 -

18191 www-data  20   0 10416  224  204 R   6.7  0.0 275:54.55 64

17893 www-data  20   0 23268 2288  748 R   6.3  0.2 115:09.14 -

19789 www-data  20   0 23268 1124  708 R   6.3  0.1  19:33.81 -

26644 www-data  20   0  258m  17m 7108 S   4.7  1.7   0:09.78 apache2

26754 www-data  20   0  256m  11m 4900 R   3.0  1.1   0:00.72 apache2

 2832 mysql     20   0  748m  75m 3012 S   1.7  7.5 194:48.84 mysqld

17890 www-data  20   0 29440 2456  852 S   0.7  0.2   8:26.73 -

17903 www-data  20   0 29440 2452  852 S   0.7  0.2   8:27.18 -

19786 www-data  20   0 29440 2452  852 S   0.7  0.2   6:03.52 -

19773 www-data  20   0 29440 2452  852 S   0.3  0.2   6:03.28 -

19776 www-data  20   0 23268 2304  708 S   0.3  0.2   1:05.50 -

20044 www-data  20   0 23268 2364  708 S   0.3  0.2   1:02.34 -

26760 www-data  20   0 23268 2332  712 S   0.3  0.2   1520:05 -

26765 tyron     20   0 79820 1608  780 S   0.3  0.2   0:00.05 sshd

27145 www-data  20   0 23268 2368  696 S   0.3  0.2   4:00.71 -

    1 root      20   0 10656  124  100 S   0.0  0.0   0:04.71 init

    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O






top







share|improve this question























  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38
















0















So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND

15913 www-data  20   0 23268  920  696 R   7.0  0.1 525:25.24 -

10960 www-data  20   0 23268 2272  748 R   6.7  0.2   6137:34 -

10963 www-data  20   0 23268 2224  736 R   6.7  0.2 116:30.51 -

10972 www-data  20   0 23268 2368  736 R   6.7  0.2 116:16.23 -

10975 www-data  20   0 23268 2312  736 R   6.7  0.2 116:16.52 -

13509 www-data  20   0 10416  188  168 R   6.7  0.0   1242:09 64

15916 www-data  20   0 23268 2344  744 R   6.7  0.2 116:21.48 -

15925 www-data  20   0 23268 2336  744 R   6.7  0.2 116:21.37 -

15928 www-data  20   0 23268 2264  744 R   6.7  0.2 116:21.44 -

17906 www-data  20   0 23268 2276  748 R   6.7  0.2 115:09.06 -

18191 www-data  20   0 10416  224  204 R   6.7  0.0 275:54.55 64

17893 www-data  20   0 23268 2288  748 R   6.3  0.2 115:09.14 -

19789 www-data  20   0 23268 1124  708 R   6.3  0.1  19:33.81 -

26644 www-data  20   0  258m  17m 7108 S   4.7  1.7   0:09.78 apache2

26754 www-data  20   0  256m  11m 4900 R   3.0  1.1   0:00.72 apache2

 2832 mysql     20   0  748m  75m 3012 S   1.7  7.5 194:48.84 mysqld

17890 www-data  20   0 29440 2456  852 S   0.7  0.2   8:26.73 -

17903 www-data  20   0 29440 2452  852 S   0.7  0.2   8:27.18 -

19786 www-data  20   0 29440 2452  852 S   0.7  0.2   6:03.52 -

19773 www-data  20   0 29440 2452  852 S   0.3  0.2   6:03.28 -

19776 www-data  20   0 23268 2304  708 S   0.3  0.2   1:05.50 -

20044 www-data  20   0 23268 2364  708 S   0.3  0.2   1:02.34 -

26760 www-data  20   0 23268 2332  712 S   0.3  0.2   1520:05 -

26765 tyron     20   0 79820 1608  780 S   0.3  0.2   0:00.05 sshd

27145 www-data  20   0 23268 2368  696 S   0.3  0.2   4:00.71 -

    1 root      20   0 10656  124  100 S   0.0  0.0   0:04.71 init

    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O






top







share|improve this question























  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38














0












0








0








So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND

15913 www-data  20   0 23268  920  696 R   7.0  0.1 525:25.24 -

10960 www-data  20   0 23268 2272  748 R   6.7  0.2   6137:34 -

10963 www-data  20   0 23268 2224  736 R   6.7  0.2 116:30.51 -

10972 www-data  20   0 23268 2368  736 R   6.7  0.2 116:16.23 -

10975 www-data  20   0 23268 2312  736 R   6.7  0.2 116:16.52 -

13509 www-data  20   0 10416  188  168 R   6.7  0.0   1242:09 64

15916 www-data  20   0 23268 2344  744 R   6.7  0.2 116:21.48 -

15925 www-data  20   0 23268 2336  744 R   6.7  0.2 116:21.37 -

15928 www-data  20   0 23268 2264  744 R   6.7  0.2 116:21.44 -

17906 www-data  20   0 23268 2276  748 R   6.7  0.2 115:09.06 -

18191 www-data  20   0 10416  224  204 R   6.7  0.0 275:54.55 64

17893 www-data  20   0 23268 2288  748 R   6.3  0.2 115:09.14 -

19789 www-data  20   0 23268 1124  708 R   6.3  0.1  19:33.81 -

26644 www-data  20   0  258m  17m 7108 S   4.7  1.7   0:09.78 apache2

26754 www-data  20   0  256m  11m 4900 R   3.0  1.1   0:00.72 apache2

 2832 mysql     20   0  748m  75m 3012 S   1.7  7.5 194:48.84 mysqld

17890 www-data  20   0 29440 2456  852 S   0.7  0.2   8:26.73 -

17903 www-data  20   0 29440 2452  852 S   0.7  0.2   8:27.18 -

19786 www-data  20   0 29440 2452  852 S   0.7  0.2   6:03.52 -

19773 www-data  20   0 29440 2452  852 S   0.3  0.2   6:03.28 -

19776 www-data  20   0 23268 2304  708 S   0.3  0.2   1:05.50 -

20044 www-data  20   0 23268 2364  708 S   0.3  0.2   1:02.34 -

26760 www-data  20   0 23268 2332  712 S   0.3  0.2   1520:05 -

26765 tyron     20   0 79820 1608  780 S   0.3  0.2   0:00.05 sshd

27145 www-data  20   0 23268 2368  696 S   0.3  0.2   4:00.71 -

    1 root      20   0 10656  124  100 S   0.0  0.0   0:04.71 init

    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O






top







share|improve this question














So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND

15913 www-data  20   0 23268  920  696 R   7.0  0.1 525:25.24 -

10960 www-data  20   0 23268 2272  748 R   6.7  0.2   6137:34 -

10963 www-data  20   0 23268 2224  736 R   6.7  0.2 116:30.51 -

10972 www-data  20   0 23268 2368  736 R   6.7  0.2 116:16.23 -

10975 www-data  20   0 23268 2312  736 R   6.7  0.2 116:16.52 -

13509 www-data  20   0 10416  188  168 R   6.7  0.0   1242:09 64

15916 www-data  20   0 23268 2344  744 R   6.7  0.2 116:21.48 -

15925 www-data  20   0 23268 2336  744 R   6.7  0.2 116:21.37 -

15928 www-data  20   0 23268 2264  744 R   6.7  0.2 116:21.44 -

17906 www-data  20   0 23268 2276  748 R   6.7  0.2 115:09.06 -

18191 www-data  20   0 10416  224  204 R   6.7  0.0 275:54.55 64

17893 www-data  20   0 23268 2288  748 R   6.3  0.2 115:09.14 -

19789 www-data  20   0 23268 1124  708 R   6.3  0.1  19:33.81 -

26644 www-data  20   0  258m  17m 7108 S   4.7  1.7   0:09.78 apache2

26754 www-data  20   0  256m  11m 4900 R   3.0  1.1   0:00.72 apache2

 2832 mysql     20   0  748m  75m 3012 S   1.7  7.5 194:48.84 mysqld

17890 www-data  20   0 29440 2456  852 S   0.7  0.2   8:26.73 -

17903 www-data  20   0 29440 2452  852 S   0.7  0.2   8:27.18 -

19786 www-data  20   0 29440 2452  852 S   0.7  0.2   6:03.52 -

19773 www-data  20   0 29440 2452  852 S   0.3  0.2   6:03.28 -

19776 www-data  20   0 23268 2304  708 S   0.3  0.2   1:05.50 -

20044 www-data  20   0 23268 2364  708 S   0.3  0.2   1:02.34 -

26760 www-data  20   0 23268 2332  712 S   0.3  0.2   1520:05 -

26765 tyron     20   0 79820 1608  780 S   0.3  0.2   0:00.05 sshd

27145 www-data  20   0 23268 2368  696 S   0.3  0.2   4:00.71 -

    1 root      20   0 10656  124  100 S   0.0  0.0   0:04.71 init

    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O






top




top






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 26 '16 at 18:26









TyronTyron

1033




1033













  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38



















  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38

















what does the apache logs say ?

– PKumar
Mar 26 '16 at 18:32





what does the apache logs say ?

– PKumar
Mar 26 '16 at 18:32













you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

– dave_alcarin
Mar 26 '16 at 18:33





you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

– dave_alcarin
Mar 26 '16 at 18:33













Thank you, /procc/[pid] tells me these are perl processes run from /tmp

– Tyron
Mar 26 '16 at 18:37





Thank you, /procc/[pid] tells me these are perl processes run from /tmp

– Tyron
Mar 26 '16 at 18:37













To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

– Andrew Henle
Mar 26 '16 at 18:38





To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

– Andrew Henle
Mar 26 '16 at 18:38










1 Answer
1






active

oldest

votes


















2














You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer


























  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f272336%2fwebserver-compromised-strange-processes-running%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer


























  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43
















2














You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer


























  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43














2












2








2







You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer















You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same







share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 15 at 4:53









Sparhawk

10.1k74397




10.1k74397










answered Mar 26 '16 at 18:39









Vinood NK MaheshwariVinood NK Maheshwari

319110




319110













  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43



















  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43

















As already commented by Andrew Henle looking into /proc helped, thank you

– Tyron
Mar 26 '16 at 18:43





As already commented by Andrew Henle looking into /proc helped, thank you

– Tyron
Mar 26 '16 at 18:43


















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f272336%2fwebserver-compromised-strange-processes-running%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

Image
0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
Read more

is 'sed' thread safe

Image
2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
Read more

How to make a Squid Proxy server?

Image
1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
Read more