[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: TOP show httpd as exe



On Thu, 07 Oct 2004 17:25:50 +0200, Franco <primo ischianet com> wrote:
> Hi, after i apply iptable to restrict access to the classic
> web server port and after to have blocked 210.169.91.66 that
> seams to be the ip from where someone use my server are 2 days
> that i don't see exe in the top.
> 
> Sockstat file tell me this:
> sockets: used 113
> TCP: inuse 59 orphan 1 tw 63 alloc 65 mem 155
> UDP: inuse 14
> RAW: inuse 0
> FRAG: inuse 0 memory 0
> 
> Strings don't know how it work. I know that when i see this
> exe in the TOP and i do lsof -p processnumber it show some
> lib file used and one file in the /tmp signed as deleted.
> 
> Dan Trainor - hostinthebox.net ha scritto:
> 
> 
> > Franco -
> >
> > You can try to find it in /proc.  You can also use sockstat to check for
> > unusual socket connections.
> >
> > Once I locate the actual binary, I run 'strings' against it and look for
> > anything unusual.  Look for dirs named '...' and '....' in /var/tmp and
> > /tmp, as this is more than often a "starting point".
> >
> > Please respond and share your findings with the group.
> >
> > Thanks!
> > -dant
> >
> >
> > Franco wrote:
> >
> >> Hi, i have an old redhat 9.0 update to the last release of RH,
> >> in some cases in the TOP i see httpd show as exe.
> >> I have read the it can be a virus or trojan but how i can do
> >> to now this and if so how can i delete it.
> >> I start chkrootkit and rkhunter on the server and seams that
> >> chkrootkit sometime tell me that i have hidden processes but
> >> not even, and rkhunter tell that is all ok.
> >> Any suggest?
> >>
> >
> 
> --
> fedora-list mailing list
> fedora-list redhat com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 
woow, time to format the drive and rebuild unless you want to hang on
to it and find out how you got hacked. Unplug the network cable while
you are doing it.

looks like the httpd.exe file was in /tmp and deleted after it's being
executed, so this way you can't see it even if you do a find.

Yang


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]