# Postfix



## akshin (Aug 3, 2020)

Hi!
Please help me.
I have not installed postfix.
I have not installed perl.
Then why HTOP shows me these lines?

```
PID USER      PRI  NI  VIRT   RES S CPU% MEM%   TIME+  Command
5500 www       102   0 17500  3360 R 100.  0.0 79h53:27 /usr/libexec/postfix/master
12236 www        22   0 17484  3576 S  4.0  0.0  3h54:18 /usr/libexec/postfix/master
2464 www        22   0 17484  3532 S  4.0  0.0  5h18:31 /usr/libexec/postfix/master
3322 www        22   0 17484  3556 S  4.0  0.0  4h15:45 /usr/libexec/postfix/master
8545 www        22   0 17508  3448 S  4.0  0.0 23h40:06 /usr/libexec/postfix/master
9754 www        22   0 17484  3508 S  4.0  0.0 44h05:49 /usr/libexec/postfix/master
15909 www        21   0 17484  3560 S  4.0  0.0  3h45:55 /usr/libexec/postfix/master
4155 www        22   0 17484  3556 S  4.0  0.0  4h13:43 /usr/libexec/postfix/master
```
I have installed nginx, mysql, php, memcached, apache, clamav, python27, python36, python37, letsencrypt.


----------



## sidetone (Aug 3, 2020)

Try:
`pkg info | grep perl
pkg info | grep postfix`
to see if either comes up. Maybe they installed as a dependency of another program.

Perl is a common dependency.


----------



## akshin (Aug 3, 2020)

```
root@haf1:/usr/local/etc/rc.d# pkg info | grep perl
perl5-5.26.2                   Practical Extraction and Report Language
perl5.28-5.28.3                Practical Extraction and Report Language
root@haf1:/usr/local/etc/rc.d# pkg info | grep postfix
root@haf1:/usr/local/etc/rc.d#
```
How to stop postfix?


----------



## sidetone (Aug 3, 2020)

`pkill postfix`
or
`kill [then PID number]`

Use:
`ps ax | grep postfix` to find the PID.

Otherwise, you'll have to find out what starts it, and work your way to it. You may have to try it from root. These kill commands don't always work.

Try:
`cd /usr/libexec/postfix
pkg which master`

It could be in the base system, but the files and directories you showed don't show on my computer.


----------



## akshin (Aug 3, 2020)

```
root@haf1:/usr/local/etc/rc.d# cd /usr/libexec/postfix
/usr/libexec/postfix: No such file or directory.
root@haf1:/usr/local/etc/rc.d#
```


```
root@haf1:/usr/local/etc/rc.d# pkg info | grep postfix
root@haf1:/usr/local/etc/rc.d#
```


----------



## sidetone (Aug 3, 2020)

```
5500 www       102   0 17500  3360 R 100.  0.0 79h53:27 /usr/libexec/postfix/master
```
Is that directory correct? Go to this postfix directory and do `pkg which` on a file from there.


----------



## akshin (Aug 3, 2020)

There is no postfix files or directory. Only perl5 pkg installed.


----------



## sidetone (Aug 3, 2020)

Your `htop` output shows a directory, `/usr/libexec/postfix/master` displayed above, multiple times.


----------



## akshin (Aug 3, 2020)




----------



## akshin (Aug 3, 2020)

Yes multiple times.

```
PID USER      PRI  NI  VIRT   RES S CPU% MEM%   TIME+  Command
5500 www       102   0 17500  3360 R 100.  0.0 79h53:27 /usr/libexec/postfix/master
12236 www        22   0 17484  3576 S  4.0  0.0  3h54:18 /usr/libexec/postfix/master
2464 www        22   0 17484  3532 S  4.0  0.0  5h18:31 /usr/libexec/postfix/master
3322 www        22   0 17484  3556 S  4.0  0.0  4h15:45 /usr/libexec/postfix/master
8545 www        22   0 17508  3448 S  4.0  0.0 23h40:06 /usr/libexec/postfix/master
9754 www        22   0 17484  3508 S  4.0  0.0 44h05:49 /usr/libexec/postfix/master
15909 www        21   0 17484  3560 S  4.0  0.0  3h45:55 /usr/libexec/postfix/master
4155 www        22   0 17484  3556 S  4.0  0.0  4h13:43 /usr/libexec/postfix/master
```


----------



## sidetone (Aug 3, 2020)

Are you sure it isn't 
	
	



```
/usr/local/libexec/postfix/master
```
? Or maybe it's softlinked, to show that output from an aliased directory. Maybe yours installed it by custom into the directory by /etc/make.conf. Sometimes /var/db/pkg gets deleted, and packages don't show by `pkg which`.

Maybe your installation is configured differently by custom settings, or from within a jail. Postfix is likely from a package or from ports. Postfix's license is likely incompatible to be in FreeBSD's base.


----------



## akshin (Aug 3, 2020)




----------



## sidetone (Aug 3, 2020)

That's an odd install. Perhaps a custom install. I don't know why `pkg which` doesn't show it, and why it's in that directory.

`kill` it with PID, or `pkill` it from root after doing some investigating.

This may be far fetched, but try installing and running security/rkhunter, and seeing if there's a rootkit on your computer that doesn't belong.

Or maybe it's in a jail.

Maybe postfix got installed through a custom buildworld? You should be able to find the directory that contains the subdirectory, libexec/postfix. Search for it in different places, including jails or other places.


----------



## suntzu00 (Aug 3, 2020)

don't you find it odd that the postfix process is run by www?
your process is running from 
	
	



```
/usr/libexec/postfix/
```
which most than likely tells you that postfix was installed from source and not from packages/ports.
the one coming from packages/ports goes into 
	
	



```
/usr/local/libexec/postfix/
```


----------



## akshin (Aug 3, 2020)




----------



## akshin (Aug 3, 2020)

There is no postfix files or directory.


----------



## sidetone (Aug 3, 2020)

Try looking for these subdirectories and files in a www directory. I believe /usr/home/www/, then somewhere for libexec/postfix/. It could be on a network filesystem.


----------



## suntzu00 (Aug 3, 2020)

what's the output of?
`ps axuww | grep postfix`


----------



## suntzu00 (Aug 4, 2020)

how about `freebsd-version -urk` and `fstat | grep 5500`


----------



## suntzu00 (Aug 4, 2020)

what can you tell us about this machine? is it a VM/a baremetal server/cloud?


----------



## akshin (Aug 4, 2020)

Any ideas?


----------



## jmos (Aug 4, 2020)

Your screenshot in #15 shows us the /usr/local/… directory - where userland stuff (like postfix) should be. But your other posts point to one level top of that: the /usr dir directly. So that indicates it doesn't come from a port - it is installed in the base system (where it shouldn't be): You don't get this by using a FreeBSD image to install FreeBSD and only packages or ports afterwards. (BTW, there's no "letsencrypt" package available - only "py-certbot"; But I assume that's just a speako…)

So the basic question in my opinion is: What's the origin of your installation? suntzu00 questions are pointing in that direction, too…


----------



## SirDice (Aug 4, 2020)

Call me paranoid but there are a couple of malware bots on the internet that _appear_ to look like regular processes. As this is a common service on Linux machines I'm somewhat suspicious we're dealing with malware here. Especially because these appear to be running on the www account and the indicated file doesn't actually exist. 

You may want to comb through your apache logs looking for weirdness.


----------



## Mjölnir (Aug 4, 2020)

Maybe postfix is written so good (platform-independant & inter-operable), that it's source tar-ball installs on FreeBSD without any hassle.  To me it looks that an innocent newbie clicked a button on a website, which installed _postfix_ by some dependency.  akshin Please tell us your level of experience with UNIX & FreeBSD.  Is this the 1st machine you installed FreeBSD on?  Please do the following: `file /usr/libexec/postfix` and tell us the output. EDIT (Sorry I did not read the whole thread attentive enough) Did you install any Linux compatibility packages for FreeBSD? Do you have a directory /compat/linux? What does `pkg info | grep linux` tell?


----------



## SirDice (Aug 4, 2020)

It's already been determined that the /usr/libexec/postfix directory doesn't even exist. So this rules out any source installs.

There's a common bot written in perl that uses IRC for its C&C. It also changes its $0 to show commonly used services instead of the actual process name in the process list. This is configurable in the code. They typically assume it's a Linux machine that's being infected so they "mimic" common Linux services. 

As the OP has PHP running I'm assuming he got bitten by some code-injection, which caused the bot-script to download and get executed.

You can try looking for odd files in /tmp but if they did it properly the bot gets downloaded to /tmp/, executed and the file in /tmp is then removed. Setting /tmp to `noexec` does not help (it's not executed directly, it's executed as a perl script).


----------



## Mjölnir (Aug 4, 2020)

Thx.  How to get the executable file from the PID?  With fstat(1) or lsof(8)?
EDIT `fstat -p <pid>` and then theres a _text_ item, I'd say it's the executable?  Then from the _inode number_ we can find the path of the executable.  How?


----------



## SirDice (Aug 4, 2020)

I'd just look at tcpdump(1) traffic for anything besides the normal port 80/443 traffic. The IRC C&C connection is bound to show up (server and port is configurable, so no use looking for specific ports or servers). It's not a complex bot, it's fairly rudimentary. Still, it's able to scan for holes in other machines and inject itself there too. There's also a function to send traffic to a certain address, controlled from the IRC C&C, used for DDoS. It has a number of other features too, but as this is just perl code it's quite easy to extend and include more attacks. Because this is just plain-text code that's easily modified I'm highly doubtful any of the AV scanners will be able to pick it up.


----------



## Mjölnir (Aug 4, 2020)

`procstat -b <pid>`
EDIT IRC is also _International Rescue Committee (IRC)_.  Would make sense here, too, if the OP has been hacked...  No smiley, because then this is not funny.


----------



## usdmatt (Aug 4, 2020)

> Call me paranoid but there are a couple of malware bots on the internet that _appear_ to look like regular processes.



Would of been my first suggestion. A process running as www and appearing to be a postfix executable that doesn't even exist is incredibly suspicious (hell even if postfix _was_ installed these processes running as www would be suspicious). It smacks of a compromised server that is running something dodgy and the running scripts are trying to disguise themselves as a process that might be running anyway in the hope they will be ignored.


----------



## sidetone (Aug 4, 2020)

Install and run security/rkhunter. See if it catches malware/rootkits that don't belong.


I haven't tried security/revealrk, but its description says it looks for processes that don't belong.


----------



## akshin (Aug 4, 2020)

At first I have to delete Perl5? or not


----------



## Mjölnir (Aug 4, 2020)

Maybe just rename the perl binary (`mv /usr/local/bin/perl /usr/local/bin/perl.orig`).  If the malware is not sophisticated enough to check that, it's enough to stop it.


----------



## akshin (Aug 4, 2020)

I have cheched with clamav and rkhunter. No viruses and rootkits. I will try revealrk


----------



## akshin (Aug 4, 2020)

mjollnir said:


> Maybe just rename the perl binary...



Ok I will try rename the perl binary


----------



## akshin (Aug 4, 2020)

===>  revealrk-1.2.2 is marked as broken on FreeBSD 12.1: fails to compile:


----------



## akshin (Aug 5, 2020)

I have found vireses in /tmp/scn folder.




Clamscan found this:
/tmp/scn/brute: Unix.Malware.Agent-6628158-0 FOUND
/tmp/scn/masscan: Unix.Malware.Agent-6640864-0 FOUND
/tmp/scn/aha.tgz: Unix.Malware.Agent-6754186-0 FOUND
Do you know what the viruses?
How to remove the effects of the work of this virus?
I removed this viruses from /tmp to other (my user) folder.


----------



## SirDice (Aug 5, 2020)

Yeah, that doesn't surprise me. It was already clear you had malware, even without the scans. Backup your data, and only your data, and wipe the machine. Do a complete reinstall, that's the only way to be sure. And take a really close look at your web application, that's how they got in in the first place.


----------



## akshin (Aug 5, 2020)

I cannot reinstall the web server. This is a working government web server. How can I clean the server from viruses?


----------



## Mjölnir (Aug 5, 2020)

Evaluate if you can switch the vulnerable software tool: PHP.  E.g. the CMS Plone and it's underlying framework (Zope) claim to have a good security record.


----------



## SirDice (Aug 5, 2020)

akshin said:


> This is a working government web server.


Take it offline a.s.a.p.!



> How can I clean the server from viruses?


By wiping the whole system. Seriously. There's no telling what they modified or changed. Even those root-kit scanners you used didn't find anything even though the machine is clearly infected. Take it offline. Wipe it. Start over. Plug the holes before putting it back online.


----------



## VladiBG (Aug 5, 2020)

Turn off the server and contact your data protection officer.


----------



## sidetone (Aug 5, 2020)

Install your system on a new harddrive. Back up your files.
Keep the old one to investigate how they got in, only mounted from a live media OS as read-only.


----------



## akshin (Aug 5, 2020)

Thank you very much, but I cannot reinstall the system until I can not find the virus itself. Freebsd and linux does not have good antivirus software to find this virus. I'm desperate and don't know what to do, because I don't know where the virus is. In this respect, I am beginning to like Windows. Kaspersky and Bitdefender are very good antiviruses. How can I reinstall the system if I don't know where the virus is.


----------



## Mjölnir (Aug 5, 2020)

akshin said:


> Thank you very much, but I cannot reinstall the system until I can not find the virus itself. Freebsd and linux does not have good antivirus software to find this virus. I'm desperate and don't know what to do, because I don't know where the virus is. In this respect, I am beginning to like Windows. Kaspersky and Bitdefender are very good antiviruses. How can I reinstall the system if I don't know where the virus is.


But you gave the list above: /tmp/scn/...? So there seems to be a leak in some software along the stack, which allowed to write the virus into these files. You have to fix this hole. And seriously consider how to get rid of PHP... it's evil, just like Adobe Flash.  My hair rolled backwards when I witnessed the spread of PHP, nowadays that's not possible anymore, but the facts about PHP remain to be true: it's just _badly designed software, mixing application logic & UI appearence_.  Brrr.


----------



## akshin (Aug 5, 2020)

The problem is that it is visually impossible to find leak in some software along the stack, which allowed to write the virus into these files. Antiviruses are needed here


----------



## sidetone (Aug 5, 2020)

Get a new harddrive for the OS and important files. Perhaps another harddrive for important files. If data is on its own disk, you can switch between operating systems, while saving that data. Back data up on CD or DVD as well, but optical disks are easily damaged by heat. That's how you start new.

Save the infected harddrive, then you can investigate it offline mounted as read-only, from a disk/usb operating system. They're saying to format the infected harddisk, you can do that too, unless you want to investigate that harddisk.

It's too complex to find every thing that virus did, but you can find a lot of what it did.


----------



## akshin (Aug 5, 2020)

I am sorry.
I need to find the virus itself, rather than what he did or what files are deleted.


----------



## akshin (Aug 5, 2020)

Not a problem if the virus is in the system files. But if the virus is in the files of the site itself, this is the problem. Inside the server there are about 30 sites, big and small


----------



## sidetone (Aug 5, 2020)

akshin said:


> I need to find the virus itself, rather than what he did or what files are deleted.



You can find the virus and the damage, while that infected harddisk is mounted as read-only, from something like System Rescue CD. Perhaps that OS isn't advanced enough, but you get the idea.

Or you can format that harddisk, and reinstall an operating system.

Either way, you have to install FreeBSD or another operating system from a formatted or new harddrive.

That virus is there to cause problems, and it has to be gotten rid of. Formatting the harddrive is the only way to get rid of it. If you want to investigate that harddrive, get a new harddrive, and save the old one to investigate it as read-only.


----------



## akshin (Aug 5, 2020)

sidetone said:


> ... Formatting the harddrive is the only way to get rid of it.


If the virus is in the files of the sites, then this virus will appear again after formatting. What is then the meaning of formatting.


----------



## sidetone (Aug 5, 2020)

The data of important files to be saved can be scanned for viruses.

It's the operating system files that have to be wiped clean.

Unless it's a problem of a server with many computers, then it's like athletes foot. Perhaps if there's many computers, take them all offline, then put up one new installed operating system at a time, modularly. Someone else will have to give you advice on that. You may need to check that infected harddisk mounted as read-only to get an idea of where it came from, to prevent it better.

Also, if you know which port it came in through, use the firewall pf, ipfw and/or ipf to block network activity on that port if it's not needed for the future.

IPFW can be turned on by setting this in rc.conf:

```
firewall_enable="YES"
firewall_type="workstation"
# "server", "client" or other settings can also be used here.
# Only if these custom firewalls allow the traffic that you need
```

Then you can have an additional firewall of PF or IPF, to lock down more on it.


----------



## akshin (Aug 5, 2020)

It is not possible to create these websites from scratch.


----------



## sidetone (Aug 5, 2020)

akshin said:


> It is not possible to create these websites from scratch.


Those are some of the important files you need to save and backup then.

Definitely save those infected harddrives, and get new ones. You'll need those old hard-drives mounted as read-only in case anything was missed that needed to be saved, as for important files, configuration files and website data to use.

SSD drives are cheap ($20), and they can be used for paritions that (only or mostly) contain the operating system. Then have important files in partitions in another hard-disk that's reliable, then you can virus-scan that, and put it up to be used with a new or reinstalled operating system. It's modular to have the OS on one drive, then other files on another drive.

But important files need to be backed up, before messing with formatting, switching out harddrives and reinstalling. The old infected harddrive can serve as another backup for anything missed, and for investigating. Perhaps label it on top with a marker.


----------



## akshin (Aug 5, 2020)

Firewall IPFW installed and configured.


----------



## akshin (Aug 5, 2020)

You advise me to create 30 virtual servers for each site separately to determine which site contains the virus.


----------



## sidetone (Aug 5, 2020)

I don't think so.

But the problem looks difficult, that you'll need someone else to help you better, or you'll figure out what steps to do, that you'll save important configuration files, server data, website configurations and other important files. Sometimes you'll come back to a problem, and be able to solve it better.

The Operating System is mostly what needs to be started from new. Then website data, virtual server configurations, all configurations, all website data, etc needs to be virus-scanned, and important files saved.

That virus intended to mess with something difficult as I see by reading this, but you will figure it out, perhaps with additional help.


----------



## akshin (Aug 5, 2020)

sidetone said:


> ... Then website data, virtual server configurations, all configurations, all website data, etc needs to be virus-scanned...


But how? This is problem. There is no antivirus for unix and linux.


----------



## akshin (Aug 5, 2020)

I checked ClamAV and rkhunter. There are no more viruses.


----------



## sidetone (Aug 5, 2020)

How did you use Clamscan?

You can use many operating systems to mount that harddrive as read-only. Save/backup the files that weren't infected. Save that old hard-drive with its data, because you'll likely need to extract information and data later.

On a new install, perhaps have the OS on a separate harddisk than the non-OS files. Careful as Windows sometimes wants to delete filesystems, if it doesn't understand the existing FreeBSD or Linux filesystem.
Then, you can mount that harddrive in the future as needed from many OS's. Also that OS harddrive can be wiped clean each time that's needed, so long as you take precaution to identify the harddrive with the OS and one with important data, and back up that data as well.

I would say, only new 2 harddisks are needed for this, plus save the old one(s). Maybe a 20 or 40G SSD SATA drive for the OS, and then a traditional SATA drive that has as many giga/terabytes as needed.

I read that old infected harddisks can be taken in for forensics to find out who did what, but you'll also need it for important files, which may be missed, or to look into corrupted files that you needed.

Buy a refurbished basic motherboard if needed for a new computer, as it costs less.


----------



## akshin (Aug 5, 2020)

clamscan -r -i -l /usr/home/user/clamav_virus --exclude-dir="^/sys" /


----------



## msplsh (Aug 5, 2020)

akshin said:


> I checked ClamAV and rkhunter. There are no more viruses.



That's great, now migrate the entire system to a new install like others have mentioned here.  Get a completely new computer if you can't take this one down, do it on the weekend, something... sheesh.


----------



## akshin (Aug 5, 2020)

msplsh said:


> That's great, now migrate the entire system to a new install like others have mentioned here ...


This means that the ClamAV could not find viruses and these viruses are there at the moment. I don't want to migrate these viruses to a new server.


----------



## sidetone (Aug 5, 2020)

Mount that harddrive as readonly, from an operating system that has a good virus scanner.

Windows or Linux may get it, but it may not understand the filesystem and try to delete it. There should be another way to get it mounted and scanned from FreeBSD or Linux.

The problem looked mostly to be in Operating System and port's processes. It's a set of executable (and perhaps other) files working together. The problem is from files running, that are hidden that act like what you found in htop, not likely from something like ".mp3", unless that's used to hide something, and that wouldn't be made obvious as suspicious by that being in a bin/ directory. It's like something from a bin/ directory or rootkit. There's some distinction from operating system, ports and executable files than important non-executable files.

Needed files (text files, configuration files, sound files, picture files) don't usually run. Viruses/malware can come hidden as mp3, txt or jpg files. You can also set certain partitions to be as non-executable, where most important files belong anyways. Non-executable is supposed to block files within its partition from running.

You may have to do some reading on the subject.


----------



## msplsh (Aug 5, 2020)

If the viruses and/or backdoors are in your _content_, then you've got a security hole in your applications and the whole thing should be shut down and audited.  If you're not going to do that then....

If the viruses are in your OS, then migrating the sites to a clean install & known secure configuration with new keys, passwords, etc, will solve the problem.


----------



## mark_j (Aug 5, 2020)

akshin said:


> It is not possible to create these websites from scratch.


I'm sorry but this has to be nonsense.
I don't know your government but I do lots of work for our federal government & if our company let this go we'd be blackballed from future tenders. Period.

You need to do as all the others are advising you to do. If you don't have the authority to do it, advise someone who does.

Anti-virus software is a security placebo. You need to secure your systems. You need to find the source of access and stop it. You need to backup your data. You need to completely audit your software. No sense rebuilding the server & putting the same, insecure software on it.

Obtain another server or instance and export only your data. Change all database passwords. Audit your data. Install the cleaned/audited software, monitoring software etc.

I'm telling you nothing new as all the other posters have told you. I'm just adding to the chorus urging you to take drastic action now because if you don't imagine when you're server's totally controlled by someone and they lock you out, what will you do then?


----------



## sidetone (Aug 5, 2020)

Whatever it took to make those websites, back that up, and put it back in, so that it's not from scratch.


----------



## mark_j (Aug 6, 2020)

sidetone said:


> Whatever it took to make those websites, back that up, and put it back in, so that it's not from scratch.


It may be a language thing, but it's hard to get a clue on what's running on this server. Maybe I missed something? Is it custom PHP or some package or port?
It's not immediately certain whether the problem is the OP is just out of their league with this. (No shame in that, I might add).


----------



## sidetone (Aug 6, 2020)

akshin just said websites. Whatever it is, that's data that can be backed up, whether html, php, http configurations, or anything else.

akshin may have to call someone they know for help and to offer a job to.


----------



## Mjölnir (Aug 6, 2020)

akshin said:


> But how? This is problem. There is no antivirus for unix and linux.


`make -C /usr/ports search key=virus | egrep '^(Port|Info):' | less` tell us there are two freely availabe virus scanners, security/f-prot & security/clamav and a bunch of ports to integrate these into mail etc.  You told before and after this post you used _clamscan_ to detect infected files...


mark_j said:


> You need to do as all the others are advising you to do. If you don't have the authority to do it, advise someone who does. [...] Anti-virus software is a security placebo. You need to secure your systems. You need to find the source of access and stop it. You need to backup your data. You need to completely audit your software. No sense rebuilding the server & putting the same, insecure software on it. Obtain another server or instance and export only your data. Change all database passwords. Audit your data. Install the cleaned/audited software, monitoring software etc.


Nothing to add to that.  Except two topics:

you may want to call your government's CERT team to help you, they can provide you a recipe of actions to follow. 
Please be aware that loosely speaking of ipfw(4) (or pf(4) & ipf(4)) as a _firewall_ is not strictly correct, these are _packet filters_ and are vital _parts_ of a firewall.  You (your team) may need to review your firewall setup, and foremost your web application design.  Obviously someone broke in and put the virus on your site.  You need to fix that hole before going online again.


----------



## SirDice (Aug 6, 2020)

Trying to remove these viruses is an exercise in futility. This is highly customizable code, scanners will not be able to detect them. Besides that, this machine has been compromised, everything you run on it is tainted and cannot be trusted.

Note that these bots likely came in through a code-injection in some bad PHP code. Packet filters aren't going to protect you against this type of attack.


----------



## jmos (Aug 6, 2020)

Having a positive break in on such a webserver means: Use the source of your PHP webpage - and never ever copies of the files from the compromised machine (they could have been modified!). If it's a PHP driven website, then there has to be someone who has an equivalent development machine from which this rebuild can be done. If that "master computer" doesn't exist: Huge fail and dead loss; But even a backup can only be used if you're sure it has been taken before the break in.

And before the server is getting up & running again you've got to find out how the break in happened: Mustn't been PHP, could also be a weak SSH account etc. But if it was PHP: The programmers should do some homework before (and never ever set up a PHP site and forget or just expand it - continuous security checks of the code are non-optional, dynamic websites means work every single month). To get a clue of this "how" take a deep look in all of the logfiles (but if "they" were good you won't find anything). Otherwise it won't take long till this happens again.

On a server there's nothing to "clean up and reboot" - this installation has to be canceled. Really.

And by all worse and upcoming work - if setting up the server cannot be done: None server is that important that live wouldn't be able anymore, so : shut it down, learn your lessons, go deeply over your concept, find a short term solution and start a better project.


----------



## Mjölnir (Aug 6, 2020)

In the long run, get rid of PHP.


----------



## sidetone (Aug 6, 2020)

This is messed up.

Code bloat surely only makes potential for malware worse.


----------



## mark_j (Aug 7, 2020)

mjollnir said:


> In the long run, get rid of PHP.


That's a bit silly. It's not the language that's at fault, but the programming of it. Sure PHP has had a history of exploitation but, boy oh boy, have some programmers just got no idea! The copy/paste programmers just hope for the best. 

And replace it with what? Perl? Python (good until their mighty overlord decides to break everything... AGAIN).
PHP is fine, just hope the programmer has a clue.


----------



## Mjölnir (Aug 7, 2020)

mark_j said:


> That's a bit silly. It's not the language that's at fault, but the programming of it. Sure PHP has had a history of exploitation but, boy oh boy, have some programmers just got no idea! The copy/paste programmers just hope for the best.
> 
> And replace it with what? Perl? Python (good until their mighty overlord decides to break everything... AGAIN).
> PHP is fine, just hope the programmer has a clue.


PHP is a bad choice for a principle reason: a commonly accepted guideline in software engeneering states: do not mix application logic & UI appearence logic.  PHP violates this -- by design, i.e. this flaw is inherent in PHP.  This way of programming appeals hackers (in the sense of _quick & dirty_ hack, not: break into a system), i.e. it misleads to do _"dirty"_ programming.  Yes, you can mess up your software in every language.  It's just much easier in PHP.  Compare the impressive list of security alerts of PHP to e.g. Plone (framework Zope, language Python).


----------



## msplsh (Aug 7, 2020)

Yet every programming language for the web seems to be unable to not stuff HTML into strings.

Just because it's easy for inexperienced programmers to make mistakes like this doesn't mean you can't avoid problems as an experienced one.  Facebook is basically a PHP app.


----------



## akshin (Aug 8, 2020)

pid 47201

```
root@haf1:/tmp# lsof -p 47201
lsof: WARNING: compiled for FreeBSD release 12.1-RELEASE-p6; this is 12.1-RELEASE.
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
perl    47201  www  cwd   VDIR               0,62   292352 12038400 /tmp
perl    47201  www  rtd   VDIR               0,62     1024        2 /
perl    47201  www    0u  unix 0xfffff82003822000      0t0          /var/run/php5-fpm.sock
perl    47201  www    1u  PIPE 0xfffff8032faa3168        0          ->0xfffff8502f5a3000
perl    47201  www    2u  VCHR               0,51      0t0       31 /dev/null
perl    47201  www    4u  unix 0xfffff800486a8000      0t0          /var/run/php5-fpm.sock
perl    47201  www    5u  unix 0xfhfff8007h4f8000      0t0          ->(none)
perl    47201  www    6r  VCHR                0,7    0t608        6 /dev/random
```
How to stop perl?


----------



## mark_j (Aug 8, 2020)

akshin said:


> pid 47201
> 
> ```
> root@haf1:/tmp# lsof -p 47201
> ...


Kill -9 47201


----------



## mark_j (Aug 8, 2020)

mjollnir said:


> PHP is a bad choice for a principle reason: a commonly accepted guideline in software engeneering states: do not mix application logic & UI appearence logic.  PHP violates this -- by design, i.e. this flaw is inherent in PHP.  This way of programming appeals hackers (in the sense of _quick & dirty_ hack, not: break into a system), i.e. it misleads to do _"dirty"_ programming.  Yes, you can mess up your software in every language.  It's just much easier in PHP.  Compare the impressive list of security alerts of PHP to e.g. Plone (framework Zope, language Python).


Very little textbook theory should ever make it into practice, imo. I think you also confuse php language and your theoretical desire for separation of powers, so to speak. It infeasible in all but the largest of projects to take that approach. I also disagree that this is the sole problem with php; most are extensions that have vulberabilities, and that is the direct result of modular languages not the language itself.
Python is fine until the lord-of-all-things-python decides to break backward compatibility.


----------



## sidetone (Aug 8, 2020)

I get akshin 's frustration. People have things to do, instead of being tied down by stuff like this.

Every single person has to become an expert because of this, and most people are really good at a few things.


----------



## sidetone (Aug 8, 2020)

Regardless who it's on. 30 websites is a high target. No one wants to deal with stuff like this, but we have to see the truth that that system has to be started over on a new harddrive.

People have to learn how to be experts in computer security, as well as unrelated subjects they're good at. It's ridiculous.

He doesn't want to start over on it, because it's difficult or it was a lot. That's messed up from the ones who create problems.


----------



## sidetone (Aug 8, 2020)

akshin said:


> ```
> root@haf1:/tmp# lsof -p 47201
> lsof: WARNING: compiled for FreeBSD release 12.1-RELEASE-p6; this is 12.1-RELEASE.
> COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
> ...


That "Perl" is probably not even Perl, like that other running service disguised as Postfix.

Normally it's good to be determined to keep something going. In this case, you have to start over, save that old harddisk, and learn along the way.


----------

