Webserver compromised, strange processes running












0















So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
15913 www-data 20 0 23268 920 696 R 7.0 0.1 525:25.24 -
10960 www-data 20 0 23268 2272 748 R 6.7 0.2 6137:34 -
10963 www-data 20 0 23268 2224 736 R 6.7 0.2 116:30.51 -
10972 www-data 20 0 23268 2368 736 R 6.7 0.2 116:16.23 -
10975 www-data 20 0 23268 2312 736 R 6.7 0.2 116:16.52 -
13509 www-data 20 0 10416 188 168 R 6.7 0.0 1242:09 64
15916 www-data 20 0 23268 2344 744 R 6.7 0.2 116:21.48 -
15925 www-data 20 0 23268 2336 744 R 6.7 0.2 116:21.37 -
15928 www-data 20 0 23268 2264 744 R 6.7 0.2 116:21.44 -
17906 www-data 20 0 23268 2276 748 R 6.7 0.2 115:09.06 -
18191 www-data 20 0 10416 224 204 R 6.7 0.0 275:54.55 64
17893 www-data 20 0 23268 2288 748 R 6.3 0.2 115:09.14 -
19789 www-data 20 0 23268 1124 708 R 6.3 0.1 19:33.81 -
26644 www-data 20 0 258m 17m 7108 S 4.7 1.7 0:09.78 apache2
26754 www-data 20 0 256m 11m 4900 R 3.0 1.1 0:00.72 apache2
2832 mysql 20 0 748m 75m 3012 S 1.7 7.5 194:48.84 mysqld
17890 www-data 20 0 29440 2456 852 S 0.7 0.2 8:26.73 -
17903 www-data 20 0 29440 2452 852 S 0.7 0.2 8:27.18 -
19786 www-data 20 0 29440 2452 852 S 0.7 0.2 6:03.52 -
19773 www-data 20 0 29440 2452 852 S 0.3 0.2 6:03.28 -
19776 www-data 20 0 23268 2304 708 S 0.3 0.2 1:05.50 -
20044 www-data 20 0 23268 2364 708 S 0.3 0.2 1:02.34 -
26760 www-data 20 0 23268 2332 712 S 0.3 0.2 1520:05 -
26765 tyron 20 0 79820 1608 780 S 0.3 0.2 0:00.05 sshd
27145 www-data 20 0 23268 2368 696 S 0.3 0.2 4:00.71 -
1 root 20 0 10656 124 100 S 0.0 0.0 0:04.71 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O










share|improve this question























  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38
















0















So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
15913 www-data 20 0 23268 920 696 R 7.0 0.1 525:25.24 -
10960 www-data 20 0 23268 2272 748 R 6.7 0.2 6137:34 -
10963 www-data 20 0 23268 2224 736 R 6.7 0.2 116:30.51 -
10972 www-data 20 0 23268 2368 736 R 6.7 0.2 116:16.23 -
10975 www-data 20 0 23268 2312 736 R 6.7 0.2 116:16.52 -
13509 www-data 20 0 10416 188 168 R 6.7 0.0 1242:09 64
15916 www-data 20 0 23268 2344 744 R 6.7 0.2 116:21.48 -
15925 www-data 20 0 23268 2336 744 R 6.7 0.2 116:21.37 -
15928 www-data 20 0 23268 2264 744 R 6.7 0.2 116:21.44 -
17906 www-data 20 0 23268 2276 748 R 6.7 0.2 115:09.06 -
18191 www-data 20 0 10416 224 204 R 6.7 0.0 275:54.55 64
17893 www-data 20 0 23268 2288 748 R 6.3 0.2 115:09.14 -
19789 www-data 20 0 23268 1124 708 R 6.3 0.1 19:33.81 -
26644 www-data 20 0 258m 17m 7108 S 4.7 1.7 0:09.78 apache2
26754 www-data 20 0 256m 11m 4900 R 3.0 1.1 0:00.72 apache2
2832 mysql 20 0 748m 75m 3012 S 1.7 7.5 194:48.84 mysqld
17890 www-data 20 0 29440 2456 852 S 0.7 0.2 8:26.73 -
17903 www-data 20 0 29440 2452 852 S 0.7 0.2 8:27.18 -
19786 www-data 20 0 29440 2452 852 S 0.7 0.2 6:03.52 -
19773 www-data 20 0 29440 2452 852 S 0.3 0.2 6:03.28 -
19776 www-data 20 0 23268 2304 708 S 0.3 0.2 1:05.50 -
20044 www-data 20 0 23268 2364 708 S 0.3 0.2 1:02.34 -
26760 www-data 20 0 23268 2332 712 S 0.3 0.2 1520:05 -
26765 tyron 20 0 79820 1608 780 S 0.3 0.2 0:00.05 sshd
27145 www-data 20 0 23268 2368 696 S 0.3 0.2 4:00.71 -
1 root 20 0 10656 124 100 S 0.0 0.0 0:04.71 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O










share|improve this question























  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38














0












0








0








So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
15913 www-data 20 0 23268 920 696 R 7.0 0.1 525:25.24 -
10960 www-data 20 0 23268 2272 748 R 6.7 0.2 6137:34 -
10963 www-data 20 0 23268 2224 736 R 6.7 0.2 116:30.51 -
10972 www-data 20 0 23268 2368 736 R 6.7 0.2 116:16.23 -
10975 www-data 20 0 23268 2312 736 R 6.7 0.2 116:16.52 -
13509 www-data 20 0 10416 188 168 R 6.7 0.0 1242:09 64
15916 www-data 20 0 23268 2344 744 R 6.7 0.2 116:21.48 -
15925 www-data 20 0 23268 2336 744 R 6.7 0.2 116:21.37 -
15928 www-data 20 0 23268 2264 744 R 6.7 0.2 116:21.44 -
17906 www-data 20 0 23268 2276 748 R 6.7 0.2 115:09.06 -
18191 www-data 20 0 10416 224 204 R 6.7 0.0 275:54.55 64
17893 www-data 20 0 23268 2288 748 R 6.3 0.2 115:09.14 -
19789 www-data 20 0 23268 1124 708 R 6.3 0.1 19:33.81 -
26644 www-data 20 0 258m 17m 7108 S 4.7 1.7 0:09.78 apache2
26754 www-data 20 0 256m 11m 4900 R 3.0 1.1 0:00.72 apache2
2832 mysql 20 0 748m 75m 3012 S 1.7 7.5 194:48.84 mysqld
17890 www-data 20 0 29440 2456 852 S 0.7 0.2 8:26.73 -
17903 www-data 20 0 29440 2452 852 S 0.7 0.2 8:27.18 -
19786 www-data 20 0 29440 2452 852 S 0.7 0.2 6:03.52 -
19773 www-data 20 0 29440 2452 852 S 0.3 0.2 6:03.28 -
19776 www-data 20 0 23268 2304 708 S 0.3 0.2 1:05.50 -
20044 www-data 20 0 23268 2364 708 S 0.3 0.2 1:02.34 -
26760 www-data 20 0 23268 2332 712 S 0.3 0.2 1520:05 -
26765 tyron 20 0 79820 1608 780 S 0.3 0.2 0:00.05 sshd
27145 www-data 20 0 23268 2368 696 S 0.3 0.2 4:00.71 -
1 root 20 0 10656 124 100 S 0.0 0.0 0:04.71 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O










share|improve this question














So currently my debian server is generating large amount of outgoing traffic. Most likely compromised and used to attack other targets.



The top command shows this



  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
15913 www-data 20 0 23268 920 696 R 7.0 0.1 525:25.24 -
10960 www-data 20 0 23268 2272 748 R 6.7 0.2 6137:34 -
10963 www-data 20 0 23268 2224 736 R 6.7 0.2 116:30.51 -
10972 www-data 20 0 23268 2368 736 R 6.7 0.2 116:16.23 -
10975 www-data 20 0 23268 2312 736 R 6.7 0.2 116:16.52 -
13509 www-data 20 0 10416 188 168 R 6.7 0.0 1242:09 64
15916 www-data 20 0 23268 2344 744 R 6.7 0.2 116:21.48 -
15925 www-data 20 0 23268 2336 744 R 6.7 0.2 116:21.37 -
15928 www-data 20 0 23268 2264 744 R 6.7 0.2 116:21.44 -
17906 www-data 20 0 23268 2276 748 R 6.7 0.2 115:09.06 -
18191 www-data 20 0 10416 224 204 R 6.7 0.0 275:54.55 64
17893 www-data 20 0 23268 2288 748 R 6.3 0.2 115:09.14 -
19789 www-data 20 0 23268 1124 708 R 6.3 0.1 19:33.81 -
26644 www-data 20 0 258m 17m 7108 S 4.7 1.7 0:09.78 apache2
26754 www-data 20 0 256m 11m 4900 R 3.0 1.1 0:00.72 apache2
2832 mysql 20 0 748m 75m 3012 S 1.7 7.5 194:48.84 mysqld
17890 www-data 20 0 29440 2456 852 S 0.7 0.2 8:26.73 -
17903 www-data 20 0 29440 2452 852 S 0.7 0.2 8:27.18 -
19786 www-data 20 0 29440 2452 852 S 0.7 0.2 6:03.52 -
19773 www-data 20 0 29440 2452 852 S 0.3 0.2 6:03.28 -
19776 www-data 20 0 23268 2304 708 S 0.3 0.2 1:05.50 -
20044 www-data 20 0 23268 2364 708 S 0.3 0.2 1:02.34 -
26760 www-data 20 0 23268 2332 712 S 0.3 0.2 1520:05 -
26765 tyron 20 0 79820 1608 780 S 0.3 0.2 0:00.05 sshd
27145 www-data 20 0 23268 2368 696 S 0.3 0.2 4:00.71 -
1 root 20 0 10656 124 100 S 0.0 0.0 0:04.71 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd


What are these processes that have '-' as command? How can I track down the source?
Apparently the attack comes through the http server since www-data is the user, but how? why? where? o.O







top






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 26 '16 at 18:26









TyronTyron

1033




1033













  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38



















  • what does the apache logs say ?

    – PKumar
    Mar 26 '16 at 18:32











  • you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

    – dave_alcarin
    Mar 26 '16 at 18:33











  • Thank you, /procc/[pid] tells me these are perl processes run from /tmp

    – Tyron
    Mar 26 '16 at 18:37











  • To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

    – Andrew Henle
    Mar 26 '16 at 18:38

















what does the apache logs say ?

– PKumar
Mar 26 '16 at 18:32





what does the apache logs say ?

– PKumar
Mar 26 '16 at 18:32













you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

– dave_alcarin
Mar 26 '16 at 18:33





you can get more information from the running processes from /proc/[PID]/status, there you could see the parent process, for example, and try to get some more information from where is it coming from (my motto: procfs is your friend)

– dave_alcarin
Mar 26 '16 at 18:33













Thank you, /procc/[pid] tells me these are perl processes run from /tmp

– Tyron
Mar 26 '16 at 18:37





Thank you, /procc/[pid] tells me these are perl processes run from /tmp

– Tyron
Mar 26 '16 at 18:37













To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

– Andrew Henle
Mar 26 '16 at 18:38





To build on @dave_alcarin 's comment, you can find out a lot of what the process is in /proc/[PID], such as what the running binary actually is. See tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

– Andrew Henle
Mar 26 '16 at 18:38










1 Answer
1






active

oldest

votes


















2














You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer


























  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f272336%2fwebserver-compromised-strange-processes-running%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer


























  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43
















2














You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer


























  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43














2












2








2







You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same






share|improve this answer















You can start finding the executable using below command



ls -l /proc/<PID>/exe


Then you can find who created it (the parent PID) with running below command



ps -p <PID> -o ppid=:wq


And search until you find the starting point.



You can also check the common automatic execution points, like init scripts, global and user specific cron jobs, at scripts, rc.local files..
adding 1 more thing pls check google there are lots of post on same







share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 15 at 4:53









Sparhawk

10.1k74397




10.1k74397










answered Mar 26 '16 at 18:39









Vinood NK MaheshwariVinood NK Maheshwari

319110




319110













  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43



















  • As already commented by Andrew Henle looking into /proc helped, thank you

    – Tyron
    Mar 26 '16 at 18:43

















As already commented by Andrew Henle looking into /proc helped, thank you

– Tyron
Mar 26 '16 at 18:43





As already commented by Andrew Henle looking into /proc helped, thank you

– Tyron
Mar 26 '16 at 18:43


















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f272336%2fwebserver-compromised-strange-processes-running%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to make a Squid Proxy server?

Is this a new Fibonacci Identity?

19世紀