Unix help plz

[prog]

Goatfuckers have compromised jmac.org somehow, and I can't do much about it because houseguests. Am trying to hold server together until I can block out six contiguous hours to rebuild everything.

Tell me why this happens, o sages of the internet:

top tells me that I have a perl process that is taking up 98% of CPU. But when I ps that PID, I am told that it's httpd. Er.

What's the correct way to find out what exactly is being perl'd? (I kill -9'd all those processes for now, but trust they'll be running again presently, because they've been doing that.)

Comments

[radtea.livejournal.com]

pstree might tell you more, as it should say something about what process is spawning which.

"top -c" should give you the full command line for each process, which may help identify the offending Perl script.

Also, try nicing the httpd process rather than killing it:

nice +15

or something that that. That'll keep it from hogging CPU but since it's still running it won't get restarted. Might be a useful stopgap.

[radiotelescope.livejournal.com]

I don't know exactly why top and ps would disagree about the name of a process, but it's probably that an Apache thread has execed perl. (Not mod_perl, but /usr/bin/perl.)

[keimel.livejournal.com]

/me has looked. killed mars. things are looking clean, unless they used new kit. *sigh*

[jtroutman.livejournal.com]

the ps binary may be trojaned. Or they could have installed a kernel module that hides processes.

chkrootkit.org is your friend, but that is not fool proof.

You really outta run "denyhosts" as well. But likely, I bet they got on via exploting your webserver in some fashion, instead of ssh brute force.