Question I have an apache process every 10 minutes

[mr-wolf]

I have an Apache process running every 10 minutes.
It calls itself qmail and it is reaching to an English IP with http.

I ran lsof -p on the process and it turned out to be a perl script.
I don't know who's initiating it.
The website is not responding, so I can't get any data with tcpdump to see what it is doing...

Now I just want to find out who's calling it....
Anyone with clues how to better troubleshoot this?

66.143.14.60 is my own IP (well, not really) and 5.101.142.81 is the real IP it is targeting.

The owner is apache
There is no file called qmail anywhere in /var/www/vhosts/

2933 19:50 00:00:00 qmail

COMMAND  PID   USER   FD   TYPE    DEVICE SIZE/OFF      NODE NAME
qmail   2933 apache  cwd    DIR     253,0     4096         2 /
qmail   2933 apache  rtd    DIR     253,0     4096         2 /
qmail   2933 apache  txt    REG     253,0  1511826  33927562 /usr/local/bin/perl
qmail   2933 apache  mem    REG     253,0   144776  12812547 /lib64/ld-2.5.so
qmail   2933 apache  mem    REG     253,0  1726296  12812609 /lib64/libc-2.5.so
qmail   2933 apache  mem    REG     253,0    23360  12812615 /lib64/libdl-2.5.so
qmail   2933 apache  mem    REG     253,0   149968  12812610 /lib64/libpthread-2.5.so
qmail   2933 apache  mem    REG     253,0    18152  12812629 /lib64/libutil-2.5.so
qmail   2933 apache  mem    REG     253,0   614992  12812613 /lib64/libm-2.5.so
qmail   2933 apache  mem    REG     253,0    48600  12812625 /lib64/libcrypt-2.5.so
qmail   2933 apache  mem    REG     253,0   114352  12812642 /lib64/libnsl-2.5.so
qmail   2933 apache  mem    REG     253,0    21273  34899352 /usr/local/lib/perl5/5.14.2/x86_64-linux-thread-multi/auto/Fcntl/Fcntl.so
qmail   2933 apache  mem    REG     253,0   116787  34899399 /usr/local/lib/perl5/5.14.2/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
qmail   2933 apache  mem    REG     253,0    19959  34899653 /usr/local/lib/perl5/5.14.2/x86_64-linux-thread-multi/auto/IO/IO.so
qmail   2933 apache  mem    REG     253,0    46086  36077988 /usr/local/lib/perl5/site_perl/5.14.2/x86_64-linux-thread-multi/auto/Socket/Socket.so
qmail   2933 apache    0r   CHR       1,3      0t0      1026 /dev/null
qmail   2933 apache    1w   CHR       1,3      0t0      1026 /dev/null
qmail   2933 apache    2w   CHR       1,3      0t0      1026 /dev/null
qmail   2933 apache    3u  IPv4 103078551      0t0       TCP 66.143.14.60:55132->5.101.142.81:http (SYN_SENT)
qmail   2933 apache    4w  FIFO       0,6      0t0 103077634 pipe
qmail   2933 apache    5r  FIFO       0,6      0t0 103077635 pipe

 

[UFHH01]

Hi mr-wolf,

pls. consider to use a "find" - command, as for example:

find /var/www/vhosts -type f -exec grep --color -Hni "no-rdns-yet.ukservers.com" {} \;
find /var/www/vhosts -type f -exec grep --color -Hni "ukservers.com" {} \;
find /var/www/vhosts -type f -exec grep --color -Hni "no-rdns-yet" {} \;
find /var/www/vhosts -type f -exec grep --color -Hni "5.101.142.81" {} \;

... in order to find the malware on your server ( mostly an additional wordpress/drupal plugin/extension )

 

[mr-wolf]

Thanks, but I already tried that and was unsuccessful.
It turned out to be an apache scheduled job.
I already thought so, as it was always every 10 minutes...
I never used user's cronjob before although I knew they existed.
Should have looked earlier into it...
I spent to much time looking into user files in /var/www/vhosts/

crontab -u apache -l
*/10 * * * * /var/tmp/pHygue >/dev/null 2>&1

Show all crontabs

for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

The file was created last April 10th
Now I need to find out where and how it's created.

To be continued some other day.
I saved the script to another place and have to find out where it's created.

This is an old server that I want to re-install as it is still running CentOS 5.11 which reached EOL last month.

Anyone has a mysql command to list all the plesk scheduled jobs?

[EDIT]
Yes, it's in the database psa in table ScheduledTasks

This is in the system-wide scheduled taks and that's very worrysome.
But if the hacker had root access why would it use /var/tmp and only the Apache user.
It seems it still had restricted access, although too much anyhow...

 

[mr-wolf]

I'm not getting much wiser of that entry in the psa database....
Is it in some way coupled to an account?
I can't see any link to some subscription in that row....

There's a hash, though....
Does that refer to some subscription???