Killing perl processes

Unfortunately sometimes happens when hackers can break a website on our hosting service and manage to run some scripts which usually written in Perl. This scripts eats the server’s memory and cpu resources while try to crack passwords and accounts. What can we do when it happends?

If you ara lucky you can reach the server and kill all malicious scripts. Because we run all of our services in virtualized environment  it’s easy to reach it in every condition. When I loged in I looked for user who started the perl script with top or ps x commands. Relatively easy to spot him because he runs many scripts which use the most of cpu in top.

First try should be

killall -u username

This isn’t work in all cases because clever scripts immediately restarted by another one which wasn’t found by killall. (I’m investigating this.) solution is lsof which can list all opened files with process id and owner.

lsof | grep username | grep perl | cut -b 11-20 | uniq | xargs kill -9

I filtered output of lsof with grep for username and perl. After I cut process id and pass process id list to kill with uniq command.

All perl process killed now you should say the owner of the page to correct this problem and close the backdoor.

Kövess minket!