anyone know what it is the command 'go'? (from user apache)

is consuming near 100% of cpu:

199 processes: 189 sleeping, 6 running, 1 zombie, 3 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 33.7% 0.0% 53.8% 0.0% 12.3% 0.0% 0.0%
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
10882 apache 25 0 480 480 408 R 79.8 0.0 3:32 0 go

and sometimes the command 'x' appears:

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
12439 apache 25 0 628 628 544 R 89.7 0.0 1:07 0 x

Apache is the username that the webserver itself is running. I would seriously check you access-logs and error-logs because it sounds like someone has a poorly written cgi script on that server which is allowing intruders to attempt commands against the server.

Feel free to contact me if you need assistance.

Hello,

Check /tmp for any suspicious files. It's normally where an intruder would put his programs.

John

yep.. it was that.. the other day i firewalled some ips and that stop the problem, but yes, i have my tmp with strange files.. (generally ports scans)

how can we limit the write in tmp foldeer to a particular files/ so for example to set that only php sessions, dumps and limited more can be write there? its posible?

Lots of programs write to /tmp, and for Linux and unix to run properly, /tmp needs to be writable by everyone.

Jeff

Doesn't need to be executable though, if it's on a seperate partition, edit /etc/fstab, remove the 'defaults' from the /tmp and add: rw,noexec,nosuid there, and issue 'mount -o remount /tmp' as root

Anything that runs as apache that is not httpd (and sometimes even a script that is called a httpd process) shouldn't be running...

If it is, go by your access and error_log's, the usual bad guys are poorly programmed PHP scripts, and can be filtered by the cmd= part in .php scripts (saves a lot of logsearching)

I've written a few nice pointers at: http://www.fedora-linux.org/content/view/26/33/ if you're interested..

thankyou!