----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[email protected]>;
<[email protected]>
Sent: Tuesday, November 16, 2004 11:37 PM
Subject: How do I find what web scripts are calling PERL.EXE?
Sorry to spam this out to the ActiveState, Web, and Admin groups, but I
wasn't sure exactly where a question like this would go.
I am in the position of hosting a number of sites for which,
unfortunately, I do not have total control. Nor can I shut the system
down whenever I like.
SOMETHING (I don't know what) is calling the perl.exe process, which is
running under the IUSR_MACHINE account. It's using up an inordinate
amount of CPU time. I can't figure out what is doing it. I can't even
run stats on my http logfiles because they seem to be slowing down. And we
have a lot of Perl files.
Windows 2000 Task Manager is of no help, aside from letting me see that
IUSR_MACHINE is using the 5.8 perl.exe file. I can't tell what path it is
to be absolutely sure, but it seems likely that this is a web script
someone has loaded that has gone amok, although other possibilities exist,
such as some trojan that is using my server as a DDoS box.
Sorry if my recommendations will not be perfect, because I have Linux server
as a production web server and IIS on WinXP-Pro as testing server.
1) Find perl.exe on your disk(s) and be sure, that only Administrator and
IUSR_MACHINE have privileges to run it.
2) Find incident time in NTFS log and compare the time with IIS log. But be
careful - IIS log commonly use GMT time and NTFS log use local time.
3) In IIS log in appropriate time segment you will see something like
... GET /domain/index.cgi 200 1745 HTTP/1.1
or
... GET /domain/index.pl 200 1745 HTTP/1.1
Files with .pl or .cgi extensions are perl script what are executable by
IIS.
Next field (200 in this sample) is the IIS status code. Use Google to find
"HTTP status codes".
Next field (1745 here) is amount of transfered bytes.
Now you must look into pl or cgi files and read the code for to know what
the script is doing. If you don't know Perl language arbitrate scripts to
some Perl programmer ;-)
Petr Vileta, Czech republic
(My server reject all messages from Yahoo and Hotmail. Send me your mail
from another non-spammer site please.)
_______________________________________________
ActivePerl mailing list
[email protected]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
