• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question I have an apache process every 10 minutes

M

mr-wolf

Silver Pleskian
Plesk Guru
I have an Apache process running every 10 minutes.
It calls itself qmail and it is reaching to an English IP with http.

I ran lsof -p on the process and it turned out to be a perl script.
I don't know who's initiating it.
The website is not responding, so I can't get any data with tcpdump to see what it is doing...

Now I just want to find out who's calling it....
Anyone with clues how to better troubleshoot this?

66.143.14.60 is my own IP (well, not really) and 5.101.142.81 is the real IP it is targeting.

The owner is apache
There is no file called qmail anywhere in /var/www/vhosts/


Code: 
2933 19:50 00:00:00 qmail
Code: 
COMMAND  PID   USER   FD   TYPE    DEVICE SIZE/OFF      NODE NAME
qmail   2933 apache  cwd    DIR     253,0     4096         2 /
qmail   2933 apache  rtd    DIR     253,0     4096         2 /
qmail   2933 apache  txt    REG     253,0  1511826  33927562 /usr/local/bin/perl
qmail   2933 apache  mem    REG     253,0   144776  12812547 /lib64/ld-2.5.so
qmail   2933 apache  mem    REG     253,0  1726296  12812609 /lib64/libc-2.5.so
qmail   2933 apache  mem    REG     253,0    23360  12812615 /lib64/libdl-2.5.so
qmail   2933 apache  mem    REG     253,0   149968  12812610 /lib64/libpthread-2.5.so
qmail   2933 apache  mem    REG     253,0    18152  12812629 /lib64/libutil-2.5.so
qmail   2933 apache  mem    REG     253,0   614992  12812613 /lib64/libm-2.5.so
qmail   2933 apache  mem    REG     253,0    48600  12812625 /lib64/libcrypt-2.5.so
qmail   2933 apache  mem    REG     253,0   114352  12812642 /lib64/libnsl-2.5.so
qmail   2933 apache  mem    REG     253,0    21273  34899352 /usr/local/lib/perl5/5.14.2/x86_64-linux-thread-multi/auto/Fcntl/Fcntl.so
qmail   2933 apache  mem    REG     253,0   116787  34899399 /usr/local/lib/perl5/5.14.2/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
qmail   2933 apache  mem    REG     253,0    19959  34899653 /usr/local/lib/perl5/5.14.2/x86_64-linux-thread-multi/auto/IO/IO.so
qmail   2933 apache  mem    REG     253,0    46086  36077988 /usr/local/lib/perl5/site_perl/5.14.2/x86_64-linux-thread-multi/auto/Socket/Socket.so
qmail   2933 apache    0r   CHR       1,3      0t0      1026 /dev/null
qmail   2933 apache    1w   CHR       1,3      0t0      1026 /dev/null
qmail   2933 apache    2w   CHR       1,3      0t0      1026 /dev/null
qmail   2933 apache    3u  IPv4 103078551      0t0       TCP 66.143.14.60:55132->5.101.142.81:http (SYN_SENT)
qmail   2933 apache    4w  FIFO       0,6      0t0 103077634 pipe
qmail   2933 apache    5r  FIFO       0,6      0t0 103077635 pipe
 
Hi mr-wolf,

pls. consider to use a "find" - command, as for example:
Code: 
find /var/www/vhosts -type f -exec grep --color -Hni "no-rdns-yet.ukservers.com" {} \;
find /var/www/vhosts -type f -exec grep --color -Hni "ukservers.com" {} \;
find /var/www/vhosts -type f -exec grep --color -Hni "no-rdns-yet" {} \;
find /var/www/vhosts -type f -exec grep --color -Hni "5.101.142.81" {} \;
... in order to find the malware on your server ( mostly an additional wordpress/drupal plugin/extension ) ;)
 
Thanks, but I already tried that and was unsuccessful.
It turned out to be an apache scheduled job.
I already thought so, as it was always every 10 minutes...
I never used user's cronjob before although I knew they existed.
Should have looked earlier into it...
I spent to much time looking into user files in /var/www/vhosts/

Code: 
crontab -u apache -l
*/10 * * * * /var/tmp/pHygue >/dev/null 2>&1

Show all crontabs
Code: 
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

The file was created last April 10th
Now I need to find out where and how it's created.

To be continued some other day.
I saved the script to another place and have to find out where it's created.

This is an old server that I want to re-install as it is still running CentOS 5.11 which reached EOL last month.

Anyone has a mysql command to list all the plesk scheduled jobs?

[EDIT]
Yes, it's in the database psa in table ScheduledTasks

This is in the system-wide scheduled taks and that's very worrysome.
But if the hacker had root access why would it use /var/tmp and only the Apache user.
It seems it still had restricted access, although too much anyhow...
 
Last edited:
I'm not getting much wiser of that entry in the psa database....
Is it in some way coupled to an account?
I can't see any link to some subscription in that row....

There's a hash, though....
Does that refer to some subscription???
 
You must log in or register to reply here.

Similar threads

L
Resolved (deleted) files cannot be removed - used by plesk service
Replies
1
Views
1K
lukegalea16
L
nubevps
Resolved Spam problem
Replies
11
Views
5K
nubevps
nubevps
M
Logrotation Email not working after Update to Plesk Onyx
Replies
5
Views
2K
mvais
M
Cristian Rodriguez
Resolved To many Apache process eating memory
Replies
6
Views
26K
Cristian Rodriguez
Cristian Rodriguez
P
High CPU Usage
Replies
4
Views
5K
PaulJames
P
Back
Top