| View previous topic :: View next topic |
| Author |
Message |
DaMightyWhightyMan
Tux's lil' helper
Joined: 16 Feb 2004
Posts: 116
|
 Posted: Mon May 23, 2005 6:35 am Post subject: nano using 99 percent CPU power? hacked? |
 |
|
Yeah, public server its a all types of server software running, apache, plesk (sucks), proftpd, etc etc. Due to plesks's bad upgradability abilaties, some of the software is stale, (not too bad though). Anyways, I logged in today and found that nano was running under the ROOT user and taking up all the CPU power, and has been running for a great many hours. I kill the process hoping maybe it was just a run-away process, but about 15 minutes later, it starts up again. So I begin to check the logs for unauthorized users, but no one but me is logged on, and the auth logs don't indicate that anyone was able to login as root latley. I have root login via ssh disabled anways. So my questions are, how the hell do i tell who is logged into my box and using nano, what are they doing with it, and of course, how'd they do it.. As a current crappy work around, I uninstalled nano 
Thanks
EDIT: if its under root user, the only proggies running under root is plesk, so am I to assume plesk vulnerability?? (im using 7.5.3) |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon May 23, 2005 9:56 am Post subject: |
|
|
chkrootkit for one.
if nano is started up "by itself" then check all crontabs - that's where that happens.
If someone has compromised a system crontab then your box is 0wned.
And I assume you have contacted plesk's support, no ?
If you paid for it, that is.
| Quote: | | the only proggies running under root is plesk |
Bullshit.
At least half the processes are running with root privileges - if you don't think so then run
| Code: | | ps faux | grep root |
There is no way to run the parent services of apache, ftp, dns etc. as a normal user - they have to bind to privileged ports.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
rex123
Apprentice
Joined: 21 Apr 2004
Posts: 272
|
| Posted: Mon May 23, 2005 2:44 pm Post subject: |
|
|
Has uninstalling nano fixed the symptoms? I would have thought that the real nano would only be used interactively, and rarely by root. I wouldn't be surprised if there's another file called nano somewhere, and that's the one that's running. If it was the nomal nano binary, it's a very weird thing to be using 100% CPU in a non-interactive situation.
If you want to know who's (currently or recently) logged in, normally you use w, who, or lastlog. But these might be unreliable if you have an unwanted visitor with root privileges... |
|
| Back to top |
|
|
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Mon May 23, 2005 3:23 pm Post subject: |
|
|
You may also try installing lsof, ls open files, which might allow you to back track to what is actually calling nano or what it might be doing.
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
DaMightyWhightyMan
Tux's lil' helper
Joined: 16 Feb 2004
Posts: 116
|
| Posted: Mon May 23, 2005 6:32 pm Post subject: |
|
|
| uninstalling nano did fix the problem, and theres only 1 file named nano on the system, I've searched all the harddrives. nano is also not in a cronjob. No root kits found. Yeahh.. if someone did hack the machine, wouldn't it be bizzare that they were runing nano? Any other ideas to check to see if the box was compromised? |
|
| Back to top |
|
|
Jeffrey0
n00b
Joined: 31 Dec 2004
Posts: 68
|
| Posted: Mon May 23, 2005 7:38 pm Post subject: |
|
|
| DaMightyWhightyMan wrote: | | Yeahh.. if someone did hack the machine, wouldn't it be bizzare that they were runing nano? |
Isn't this just a common cracker strategy? 'nano' isn't as suspicous as 'somerandomproc' or '/sbin/rootkitpro'.
Some shell script might've started $EDITOR for some reason, which is set to nano by default. I remember nano having problems being started without a pty. |
|
| Back to top |
|
|
DaMightyWhightyMan
Tux's lil' helper
Joined: 16 Feb 2004
Posts: 116
|
| Posted: Tue May 24, 2005 12:25 am Post subject: |
|
|
| Jeffrey0 wrote: | | DaMightyWhightyMan wrote: | | Yeahh.. if someone did hack the machine, wouldn't it be bizzare that they were runing nano? |
Isn't this just a common cracker strategy? 'nano' isn't as suspicous as 'somerandomproc' or '/sbin/rootkitpro'.
Some shell script might've started $EDITOR for some reason, which is set to nano by default. I remember nano having problems being started without a pty. |
hrmm.. so you're saying some other shell script might have been able to mask it's process name under nano's? |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue May 24, 2005 9:32 am Post subject: |
|
|
Not a shell script, no.
Why would you think that ?
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
Rad
Guru
Joined: 11 Feb 2004
Posts: 401
Location: Bern, Switzerland
|
| Posted: Tue May 24, 2005 9:46 am Post subject: |
|
|
And the 100% CPU stuff happened to me, too... though that was long ago.
Bug here. I didnt file it, but the problem went away quickly with a newer version of nano.
Tho nano restarting itself after being killed sounds pretty suspicious, yes. Maybe you've just found out that somebody else knows your root password by having a bugged nano installed which doesn't terminate cleanly...  |
|
| Back to top |
|
|
jedi master james
n00b
Joined: 23 May 2005
Posts: 4
Location: In the middle of no where
|
| Posted: Tue May 24, 2005 2:07 pm Post subject: |
|
|
could u islota it then run a sreach of it that way if u are being hacked u could put a stop to it with out there knowledge.
_________________
why not if u say it can't be done it shall. If u say it can it can't be done. for i am the one the only master of diaster oh god no my science teacher got out.........the hockey stick. |
|
| Back to top |
|
|
DaMightyWhightyMan
Tux's lil' helper
Joined: 16 Feb 2004
Posts: 116
|
| Posted: Tue May 24, 2005 7:40 pm Post subject: |
|
|
| Rad wrote: | And the 100% CPU stuff happened to me, too... though that was long ago.
Bug here. I didnt file it, but the problem went away quickly with a newer version of nano.
Tho nano restarting itself after being killed sounds pretty suspicious, yes. Maybe you've just found out that somebody else knows your root password by having a bugged nano installed which doesn't terminate cleanly... |
even if someone did know my root password, they wouldn't be able to login. root over sshd is disabled. It was an old version of nano, so I'll just upgrade, thanks. |
|
| Back to top |
|
|
AlterEgo
Veteran
Joined: 25 Apr 2002
Posts: 1619
|
| Posted: Fri May 27, 2005 12:46 pm Post subject: |
|
|
Reproducably:
open a console window and su to root; run nano (1.3.4) , then close the console window.
Then see nano take up 100% of cpu cycles. Always. But you can kill the process easily.
Why this happens, I don't know.
[edit]
oops, I just notice: exactly like te bug report posted above me...sorry. |
|
| Back to top |
|
|
Sadako
Advocate
Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub
|
| Posted: Fri May 27, 2005 1:16 pm Post subject: |
|
|
I experience the same thing with any ncurses-based program, such as alsamixer and mc. So it's probably an ncurses problem, and not a bug in nano.
Good news is nano has an ncurses use flag so disabling that and re-emerging nano could help if this is still a recurring problem. I don't know how this would affect functionality, though
_________________
"You have to invite me in" |
|
| Back to top |
|
|
|
Networking & Security
