Hi,

On one of my servers sometimes one or more perl procesess are using up all my CPU capacity.

I don't know what website started this process. The only thing I see is perl process started by apache.

Does anyone has a tip ?

regards,
Michel.

i have the same problem on a machine ...

There must be someone who has the 'simple' answer for us

1st thing to do: backup all your clients

When there is a proces called perl eating cpu, 99% o/t time your about to be hacked... sorry to tell you that, its not a simple thing.

login as root
--------------------
1st type:
cd /tmp

then type:
ls

do you see ant .txt / .pl files there?

if so: you found the problem, someone hosted a insecuire (most o/t time joomla or mambo) script and someone exploited that so he can use your server as a irc bot or even worse to gain root access and hack it.

i have had it on a server yesterday, the only thing to do about it is move your clients to a tempory server, format your server and let a managing company secuire/hardening your server.(if you dont know how to do that yourself) if thats done you can place your clients back.

If you dont find anything in tmp, post it here and we will look foward into it.

I did find two .txt files in the .tmp directory with some .pl code in it.(IRAN HACKERS SABOTAGE Connect Back Shell).

This morning I also disabled a website on this server that was hacked and had the same .txt files in there root directory and a directory with lots of files under it. That link to that directory was included in a spammail.

I checked all sites on that server but did not find anything else so why exactly moving all customers and re-install the server ?

Because you never know what the hackers installed else.

The name says it all:
IRAN HACKERS SABOTAGE Connect Back Shell

Connect Back Shell, this means they let your server connect to them so they have shell access.

It is the best to format your server and re-install it, thats the only way to be sure you are 100% clean.