[LinuxUsers] funnyness with check.cgi

[David Kaiser]

Well, it is possible that some process was able to change it's process
info to read "/usr/bin/perl -w./check.cgi" when there was no check.cgi
file anywhere.  Just a decoy trick from a bad process.

(Just thinking out loud...)  could the 'check.cgi' file live inside a
loopback filesystem, which was somehow unmounted after the process
started?  Do you see any funny entries in the 'mount' output?  See any
funny files in global-writable areas, like /tmp ?

What do you get from (if the pid's are still valid): "ls -l
/proc/28720/cwd"  "ls -l /proc/28720/exe"  "cat /proc/28720/environ"
"cat /proc/28720/mountinfo"  "cat /proc/28720/maps"  and "cat
/proc/28720/cmdline"



Jeff Lasman wrote:
> I'm seeing something funny with a file named check.cgi.
>
> Top says it's running:
>
> 28720 apache    25   0  6184 6184  1448 R    25.4  0.6  20:12   1 
> check.cgi
>  2897 apache    25   0  5968 5968  1500 S     0.7  0.5  18:07   1 
> check.cgi
>
> ps says it's being run by perl:
>
> # ps waux | grep check.cgi
> apache   28720 17.8  0.6 11124 6180 ?        S    10:22  
> 20:13 /usr/bin/perl -w./check.cgi
> apache    2897 25.8  0.5 10880 5968 ?        S    11:05  
> 18:07 /usr/bin/perl -w./check.cgi
> #
>  
> find doesn't find any file by that name
>
> # find / -name check.cgi
> #
>
> and grepping all the apache logs don't show it being called from 
> anywhere.
>
> I care because we're being attacked by a spammer who appears to be on 
> our box sending mail via smtp through localhost, and this might be the 
> problem (I'm not sure yet).
>
> Any ideas?
>
> Jeff
>