[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: TOP show httpd as exe



Hi, after i apply iptable to restrict access to the classic
web server port and after to have blocked 210.169.91.66 that
seams to be the ip from where someone use my server are 2 days
that i don't see exe in the top.

Sockstat file tell me this:
sockets: used 113
TCP: inuse 59 orphan 1 tw 63 alloc 65 mem 155
UDP: inuse 14
RAW: inuse 0
FRAG: inuse 0 memory 0

Strings don't know how it work. I know that when i see this
exe in the TOP and i do lsof -p processnumber it show some
lib file used and one file in the /tmp signed as deleted.





Dan Trainor - hostinthebox.net ha scritto:
Franco -

You can try to find it in /proc. You can also use sockstat to check for unusual socket connections.

Once I locate the actual binary, I run 'strings' against it and look for anything unusual. Look for dirs named '...' and '....' in /var/tmp and /tmp, as this is more than often a "starting point".

Please respond and share your findings with the group.

Thanks!
-dant


Franco wrote:


Hi, i have an old redhat 9.0 update to the last release of RH,
in some cases in the TOP i see httpd show as exe.
I have read the it can be a virus or trojan but how i can do
to now this and if so how can i delete it.
I start chkrootkit and rkhunter on the server and seams that
chkrootkit sometime tell me that i have hidden processes but
not even, and rkhunter tell that is all ok.
Any suggest?




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]