possibly hacked

[David Hollis]

On Thu, 2006-11-16 at 10:26 -0600, olga at urbantimes.net wrote:
> Hi,
> 
>  I wrote about kernel errors which somebody pointed out was because the
> server was running out of memory.
> 
> Now I found the following which makes me think that that server may have
> been compromized.
> 
> Here's what I get when I issued: netstat -nap
> 
> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED 5226/ps x
> tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED 5365/ps x
> 
> About a hundred instances of that program 'ps x' running.
> 
> Also here's what ps -ef produced:
> 
> apache    6323     1  0 10:30 ?        00:00:00 ps x
> apache    6324     1  0 10:30 ?        00:00:00 ps x
> apache    6326     1  0 10:30 ?        00:00:00 ps x
> apache    6328     1  0 10:30 ?        00:00:00 ps x
> apache    6330     1  0 10:30 ?        00:00:00 ps x

What does ls -l /proc/6323/exe say?  That would be a symlink to the
executable for that process.  Normal ps lives in /bin so the link should
point at /bin/ps.  If it is connecting out to a remote host, it's likely
not the normal ps, just something that's masking itself to make it less
likely to get picked up.

-- 
David Hollis <dhollis at davehollis.com>