TOP show httpd as exe
Franco
primo at ischianet.com
Thu Oct 7 15:25:50 UTC 2004
Hi, after i apply iptable to restrict access to the classic
web server port and after to have blocked 210.169.91.66 that
seams to be the ip from where someone use my server are 2 days
that i don't see exe in the top.
Sockstat file tell me this:
sockets: used 113
TCP: inuse 59 orphan 1 tw 63 alloc 65 mem 155
UDP: inuse 14
RAW: inuse 0
FRAG: inuse 0 memory 0
Strings don't know how it work. I know that when i see this
exe in the TOP and i do lsof -p processnumber it show some
lib file used and one file in the /tmp signed as deleted.
Dan Trainor - hostinthebox.net ha scritto:
> Franco -
>
> You can try to find it in /proc. You can also use sockstat to check for
> unusual socket connections.
>
> Once I locate the actual binary, I run 'strings' against it and look for
> anything unusual. Look for dirs named '...' and '....' in /var/tmp and
> /tmp, as this is more than often a "starting point".
>
> Please respond and share your findings with the group.
>
> Thanks!
> -dant
>
>
> Franco wrote:
>
>> Hi, i have an old redhat 9.0 update to the last release of RH,
>> in some cases in the TOP i see httpd show as exe.
>> I have read the it can be a virus or trojan but how i can do
>> to now this and if so how can i delete it.
>> I start chkrootkit and rkhunter on the server and seams that
>> chkrootkit sometime tell me that i have hidden processes but
>> not even, and rkhunter tell that is all ok.
>> Any suggest?
>>
>
More information about the fedora-list
mailing list