Date: Tue, 25 Aug 2009 03:04:10 -0700 (PDT) From: Colin Brace <cb@lim.nl> To: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? Message-ID: <25131646.post@talk.nabble.com> In-Reply-To: <20090825091937.GA53416@cheddar.urgle.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Bristow wrote: > > On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: >> Ok, here is what lsof tells me: >> >> $ sudo lsof | grep perl >> perl5.8.9 4272 www 3u IPv4 0xc33cf000 0t0 TCP >> gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) >> >> The last line would be appear to telling me something, but what? > > The script is talking to 94.102.51.57 on port 7000. > > Other useful things: > > ps ajxwwww > will tell you the parent process of the script: this looks like > it may be a (fast?)CGI script; if so then the parent would be the > web server. > > It may also show the name of the script (but beware: the script > can change that) which would be usefull to know. > >> After 24 hour since rebooting, this perl instance is still crunching >> away... > > Is it the same instance of the script, or a new copy each time? > That is, does the PID change? If so, that points to a CGI; if not it > points to a fastCGI - or something else. > I have disabled both CGI and fastCGI in lighttpd.conf, restart the webserver, but the script keeps popping up. Now I notice something interesting: $ ps aux | grep www www 116 100.0 0.7 5864 3588 ?? R 11:53AM 8:10.33 /usr/bin/web/httpd (perl5.8.9) www 113 0.0 0.0 0 0 ?? Z 11:53AM 0:00.18 <defunct> This file doesn't exist on my system. Am I correct in assuming that my system has been hacked and I am running an IRC server or something? Thanks. ----- Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25131646.html Sent from the freebsd-questions mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25131646.post>