From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-129403-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RBrFW-0004vy-03
	for garchives@archives.gentoo.org; Thu, 06 Oct 2011 16:56:46 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7930121C0F2;
	Thu,  6 Oct 2011 16:56:36 +0000 (UTC)
Received: from s1.itech7.com (s1.itech7.com [94.76.222.184])
	by pigeon.gentoo.org (Postfix) with ESMTP id 43BC821C020
	for <gentoo-user@lists.gentoo.org>; Thu,  6 Oct 2011 16:55:44 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by s1.itech7.com (Postfix) with ESMTP id 8D94E3E60
	for <gentoo-user@lists.gentoo.org>; Thu,  6 Oct 2011 22:25:35 +0530 (IST)
Message-ID: <4E8DDD8C.3080004@nileshgr.com>
Date: Thu, 06 Oct 2011 22:25:40 +0530
From: Nilesh Govindarajan <contact@nileshgr.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20110929 Thunderbird/6.0.2
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Rootkit?
References: <4E8DC2B6.1000105@nileshgr.com> <87hb3m5dzt.fsf@eps142.cdf.udc.es>
In-Reply-To: <87hb3m5dzt.fsf@eps142.cdf.udc.es>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 
X-Archives-Hash: 23e60a1c22ba578269cbeeb49c3910f7

On Thu 06 Oct 2011 09:06:06 PM IST, Alberto Luaces wrote:
> Nilesh Govindarajan writes:
>
>> One of the servers I manage has a strange problem.
>>
>> Every 24h, someone starts a process shows up as perl in the list, but
>> launching command is /usr/sbin/httpd.
>> It shows just one process, but when I run something like this:
>>
>> ps -C perl -o cmd,pid
>>
>> I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or
>> /usr/bin/perl.
>>
>> The even more interesting thing is, /usr/sbin/httpd does not exist.
>> I suspect a rootkit, but chkrootkit & rkhunter reported nothing.
>>
>> Also, I found a mysterious file: /tmp/ips.txt with following content:
>> xxx.xxx.xxx.xxx
>> 127.0.0.1
>> addr:xxx.xxx.xxx.xxx
>> addr:
>> addr:127.0.0.1
>> addr:
>>
>> Somebody is aware of a malware/rootkit which creates such files?
>
> I had some of that recently. The attacker used a instance of phpmyadmin
> to inject into its URL a wget command to download a perl script from
> another site. Look for `wget' into apache logs.
>

@all
Apache was never installed & I don't see any reason to install it 
because nginx satisfies my needs. I grepped for the string wget in all 
logs and php files, found some, but they were for libssh2 in wordpress 
code.
@Michael,
I thought of doing that, but before I discovered the file, I'd already 
killed the processes. Will check later when the process is relaunched 
sometime later.

-- 
Nilesh Govindarajan
http://nileshgr.com