Using lsof to find trojan processes on Linux.

In my previous post I was telling about checking for programs using network on Linux using lsof tool.
Here I have “live” example of such backdoor found on one of our servers.

I’ve received complain that somebody was under attack originatinng from our server. Here is what I’ve caught using lsof

This definitely looks like backdoor process with control over irc (port 6667). Now we need to find out from where this process was started.
Easiest way to do so is to examine process invironment for known pid.

We are interested in PWD env variable that points us to the directory from which this process was started.
Yes, insecure_user has chmod 777 his ~/public_html/content, so hackers could upload all they want. After killing the processes and fixing permissions on ~/insecure_user/public_html/content this attacks stopped.
Next step should be to find out how they could upload malicious content into world writable dir.
Excellent source of additional info on lsof usage could be found here

  1. Hi,

    Nice article…..
    i was same problem but i caught that hacker by logs. He was uploading some files through ftp.

    Thanks for this nice article…

  2. What you will do if the perl processes was started from /tmp directory ?
    I believe you cant do much …as you have now only perl processes running

    • If you read the post carefully you will see how to find the script name from the environment. Also, good practice is to mount /tmp as nosuid,nodev,noexec

      • Sorry I forgot to post here a reply here on then at 09-02.
        Yes I read your post is just I want to say that in some cases it wont be enough if you find the script and the user.
        Lets say on a server with 100 domains you find the script path is at /tmp/badscript.pl, but the user is apache.
        Deleting the script will be useless as the second day it will be uploaded again since is /tmp
        Also I believe you already know this but mounting /tmp as nosuid,nodev,noexec is useless for perl scripts as they can still be executed from /tmp since a perl script is a text file.
        One sane solution is to enable perl module only to trusted users.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">