OT. Have I been hacked? IRCD?
mark at onnow.net
mark at onnow.net
Mon Dec 13 23:00:28 UTC 2004
Sorry for the OT question but I need some assistance ASAP.
I have been experiencing high load 3.00 ( .5 is normal ) for 3 days. This is
being used as a web server. When I run top I see:
17513 apache 25 0 2504 872 672 R 96.7 0.1 3591m 1 perl
4883 apache 25 0 2528 896 676 R 71.3 0.1 3575m 0 perl
So there are two perl processes that are maxing the CPUs.
When I run: lsof -i |grep perl
I get:
perl 4883 apache 3u IPv4 2624 TCP *:http (LISTEN)
perl 4883 apache 4u IPv4 2626 TCP *:https (LISTEN)
perl 4883 apache 124u IPv4 193039277 TCP
onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED)
perl 17513 apache 3u IPv4 2624 TCP *:http (LISTEN)
perl 17513 apache 4u IPv4 2626 TCP *:https (LISTEN)
perl 17513 apache 124u IPv4 65252685 TCP
oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED)
So I have a connection to an irc daemon.
I have grepped the web content directory for ircd and not found anything.
ps -ef |grep ircd gets nothing.
I also cant seem to locate a perl script that is causing this.
So can anyone offer some help here? How can I check this further. I want to
nail down the user ( web user I hope ) that is running this.
Thank you
Mark
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the fedora-list
mailing list