From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 10:04:36 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C383B10656D8 for ; Tue, 25 Aug 2009 10:04:36 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 9BD2B8FC1C for ; Tue, 25 Aug 2009 10:04:36 +0000 (UTC) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Mfst2-0007WN-FT for freebsd-questions@freebsd.org; Tue, 25 Aug 2009 03:04:20 -0700 Message-ID: <25131646.post@talk.nabble.com> Date: Tue, 25 Aug 2009 03:04:10 -0700 (PDT) From: Colin Brace To: freebsd-questions@freebsd.org In-Reply-To: <20090825091937.GA53416@cheddar.urgle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: cb@lim.nl References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 10:04:36 -0000 Mike Bristow wrote: > > On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: >> Ok, here is what lsof tells me: >> >> $ sudo lsof | grep perl >> perl5.8.9 4272 www 3u IPv4 0xc33cf000 0t0 TCP >> gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) >> >> The last line would be appear to telling me something, but what? > > The script is talking to 94.102.51.57 on port 7000. > > Other useful things: > > ps ajxwwww > will tell you the parent process of the script: this looks like > it may be a (fast?)CGI script; if so then the parent would be the > web server. > > It may also show the name of the script (but beware: the script > can change that) which would be usefull to know. > >> After 24 hour since rebooting, this perl instance is still crunching >> away... > > Is it the same instance of the script, or a new copy each time? > That is, does the PID change? If so, that points to a CGI; if not it > points to a fastCGI - or something else. > I have disabled both CGI and fastCGI in lighttpd.conf, restart the webserver, but the script keeps popping up. Now I notice something interesting: $ ps aux | grep www www 116 100.0 0.7 5864 3588 ?? R 11:53AM 8:10.33 /usr/bin/web/httpd (perl5.8.9) www 113 0.0 0.0 0 0 ?? Z 11:53AM 0:00.18 This file doesn't exist on my system. Am I correct in assuming that my system has been hacked and I am running an IRC server or something? Thanks. ----- Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25131646.html Sent from the freebsd-questions mailing list archive at Nabble.com.