Topic: server hacker/intrusion detection

[ber]

HI SME 7.5 with all updates installed. - Server/gateway mode. Dansguardian installed and running.

Over the last week noticed that our internet was running slow and sluggish. Did more investigation and noticed that the CPU average had increased by 40%- usually its about 7-8%. CPU chassis light was flickering more than it normally does.
I have sme7admin installed and checked the CPU/load/service/RAM resources
ran the top command...

login as: root
root@192.168.0.254's password:
Last login: Mon Feb 13 14:08:53 2012
[root@server ~]# top
top - 14:40:58 up  1:48,  2 users,  load average: 2.34, 2.95, 5.24
Tasks: 274 total,   1 running, 273 sleeping,   0 stopped,   0 zombie
Cpu(s): 15.2% us,  4.0% sy,  0.0% ni,  0.0% id, 80.8% wa,  0.0% hi,  0.0% si
Mem:    905368k total,   895836k used,     9532k free,     2840k buffers
Swap:  1835000k total,   962444k used,   872556k free,    16392k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 5673 clamav    16   0 18572 5252  932 S  8.3  0.6   0:01.48 dansguardian
 8650 root      16   0 1214m 647m 1596 D  5.3 73.3   1:07.23 sme7admind
 4735 squid     15   0 21372 5504 1536 S  2.7  0.6   0:17.54 squid
 4787 clamav    15   0 18572 6428  932 S  0.7  0.7   0:03.62 dansguardian
10705 root      16   0  3168  980  680 S  0.7  0.1   0:07.03 top
   54 root      15   0     0    0    0 S  0.3  0.0   0:27.63 kswapd0
 4783 clamav    15   0 18516 7320  948 S  0.3  0.8   0:01.16 dansguardian
 4790 clamav    15   0 18588 5900  912 S  0.3  0.7   0:01.59 dansguardian
 5670 clamav    15   0 18556 4336  928 S  0.3  0.5   0:01.96 dansguardian
11503 root      17   0  3532 1000  688 R  0.3  0.1   0:03.70 top
    1 root      16   0  3244  336  316 S  0.0  0.0   0:00.46 init
    2 root      34  19     0    0    0 S  0.0  0.0   0:00.01 ksoftirqd/0
    3 root       5 -10     0    0    0 S  0.0  0.0   0:00.04 events/0
    4 root       5 -10     0    0    0 S  0.0  0.0   0:00.01 khelper
    5 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 kthread
    6 root      15 -10     0    0    0 S  0.0  0.0   0:00.00 kacpid
   34 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 kblockd/0
[root@server ~]#

i noticed an unusual user logged in using the smtpd service and suspected that there maybe a user/hacker that's broken into the system. I have no user registered under that name??

What procedures can i follow to find out:

1. If there is an unknown and unauthorized user.
2. How to block/remove him if possibel.
3. Do i need more security options (IPcop)?
4. how to find out why the CPU usage is so high?

Thanks Regards John

[CharlieBrady]

I have sme7admin installed ...

I'd suggest you remove it, or at least stop it and disable it. It looks to me that it has a memory leak.

Swap:  1835000k total,   962444k used,   872556k free,    16392k cached
...
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
...
 8650 root      16   0 1214m 647m 1596 D  5.3 73.3   1:07.23 sme7admind

You should report this problem with this contrib via the bug tracker.

[ber]

HI Charlie- can you clarify why you think sme7admin is the cause of the memory leak?
I use sme7admin a lot to monitor the server. I have had it installed on the server since new (2 years) without any problems.
It does show a high usage of swap since approximately a week ago. When the internet and server access became sluggish.

I have other contribs installed as well.- awstats/gallery2/ZABBIX (hardly used)/DAR2/.

Also can you clarify in laymans terms what is memory leak (noobie)

[CharlieBrady]

HI Charlie- can you clarify why you think sme7admin is the cause of the memory leak?

It's using 73% of the system memory, which is already 200% committed (via use of swap). The reason your system is so slow is because it is using so much swap, and the reason it is swapping is because sme7admind is using so much memory.

[CharlieBrady]

Also can you clarify in laymans terms what is memory leak (noobie)

Seriously?

http://bit.ly/x9Js6f

[ber]

Thank you Charlie  - seriously I'm that much of a noobie- I have googled the memory leak, but i like your explanation as it relates to my problem specifically, in most explanations there's always the disclaimer of "it may not necessary be the software that is causing the problem..." anyway - thanks for the link."
update- I have removed the contrib sme7admin and the puppy has settled- Internet and server access is much quicker.

here is the latest top output: (no swap usage)

login as: root
root@192.168.0.254's password:
Last login: Tue Feb 14 08:55:54 2012 from 192.168.0.230
[root@server ~]# top
top - 12:09:32 up 45 min,  1 user,  load average: 0.22, 0.07, 0.06
Tasks: 210 total,   1 running, 209 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.0% us,  0.3% sy,  0.0% ni, 99.3% id,  0.3% wa,  0.0% hi,  0.0% si
Mem:    905368k total,   850464k used,    54904k free,    38108k buffers
Swap:  1835000k total,        0k used,  1835000k free,   300908k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 7454 root      16   0  2992 1084  780 R  0.3  0.1   0:00.35 top
    1 root      16   0  3332  620  532 S  0.0  0.1   0:00.45 init
    2 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
    3 root       5 -10     0    0    0 S  0.0  0.0   0:00.04 events/0
    4 root       5 -10     0    0    0 S  0.0  0.0   0:00.01 khelper
    5 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 kthread
    6 root      15 -10     0    0    0 S  0.0  0.0   0:00.00 kacpid
   34 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 kblockd/0
   35 root      15   0     0    0    0 S  0.0  0.0   0:00.00 khubd
   52 root      20   0     0    0    0 S  0.0  0.0   0:00.00 pdflush
   53 root      15   0     0    0    0 S  0.0  0.0   0:00.05 pdflush
   54 root      25   0     0    0    0 S  0.0  0.0   0:00.00 kswapd0
   55 root      11 -10     0    0    0 S  0.0  0.0   0:00.00 aio/0
  199 root      25   0     0    0    0 S  0.0  0.0   0:00.00 kseriod
  430 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 ata/0
  431 root       6 -10     0    0    0 S  0.0  0.0   0:00.00 ata_aux
  433 root      15   0     0    0    0 S  0.0  0.0   0:00.00 scsi_eh_0


I will attempt to post a bug on this and see what the cause/solution is. Thanks again Charlie. 

[janet]

ber

I will attempt to post a bug on this and see what the cause/solution is.

I think this is a commonly known issue with sme7admin. Search the forums & bugzilla back 2 or 3 or 4 years when the sme7admin contrib came out or was first being used on sme server.
IIRC a user can be too zealous with settings in sme7admin (eg scan & report frequency or something like that (I don't use it)) and create problems like those you have experienced. If it gets bad enough it can even cause your whole server to lock up.

Here are two examples of forum search result answers, but please search and read for yourself (search for sme7admin) as there are many many more:
http://forums.contribs.org/index.php/topic,37013.msg165290.html#msg165290
http://forums.contribs.org/index.php/topic,44388.msg213497.html#msg213497

[CharlieBrady]

I think this is a commonly known issue with sme7admin.

So where is the bug report? And the investigation trying to identify and fix the problem?

BTW, ber, please edit the subject of this thread - there is no evidence that your system has been hacked.

[CharlieBrady]

There are 14 bug reports against that contrib, none of them reporting a memory leak:

http://bugs.contribs.org/buglist.cgi?list_id=6088&resolution=---&query_format=advanced&component=smeserver-sme7admin&product=SME%20Contribs

Unfortunately, there is no sign that the contrib author is investigating and fixing the problems. Perhaps this contrib should be considered abandonware, and somebody else should take over its maintenance.

[ber]

Thank You Charlie- I found this contrib very useful- its a pity its not being maintained. Ive installed system monitor which is an adequate replacement but doesn't provide the full service and PIC/Connections graphics. Thanks