possibly hacked
David Hollis
dhollis at davehollis.com
Thu Nov 16 16:56:04 UTC 2006
On Thu, 2006-11-16 at 10:26 -0600, olga at urbantimes.net wrote:
> Hi,
>
> I wrote about kernel errors which somebody pointed out was because the
> server was running out of memory.
>
> Now I found the following which makes me think that that server may have
> been compromized.
>
> Here's what I get when I issued: netstat -nap
>
> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps x
> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED 5365/ps x
>
> About a hundred instances of that program 'ps x' running.
>
> Also here's what ps -ef produced:
>
> apache 6323 1 0 10:30 ? 00:00:00 ps x
> apache 6324 1 0 10:30 ? 00:00:00 ps x
> apache 6326 1 0 10:30 ? 00:00:00 ps x
> apache 6328 1 0 10:30 ? 00:00:00 ps x
> apache 6330 1 0 10:30 ? 00:00:00 ps x
What does ls -l /proc/6323/exe say? That would be a symlink to the
executable for that process. Normal ps lives in /bin so the link should
point at /bin/ps. If it is connecting out to a remote host, it's likely
not the normal ps, just something that's masking itself to make it less
likely to get picked up.
--
David Hollis <dhollis at davehollis.com>
More information about the fedora-list
mailing list