Unfortunately sometimes happens when hackers can break a website on our hosting service and manage to run some scripts which usually written in Perl. This scripts eats the server’s memory and cpu resources while try to crack passwords and accounts. What can we do when it happends?
If you ara lucky you can reach the server and kill all malicious scripts. Because we run all of our services in virtualized environment it’s easy to reach it in every condition. When I loged in I looked for user who started the perl script with top
or ps x
commands. Relatively easy to spot him because he runs many scripts which use the most of cpu in top.
First try should be
killall -u username
This isn’t work in all cases because clever scripts immediately restarted by another one which wasn’t found by killall
. (I’m investigating this.) solution is lsof
which can list all opened files with process id and owner.
lsof | grep username | grep perl | cut -b 11-20 | uniq | xargs kill -9
I filtered output of lsof
with grep
for username and perl. After I cut process id and pass process id list to kill
with uniq
command.
All perl process killed now you should say the owner of the page to correct this problem and close the backdoor.