On Thu, 16 Nov 2006 olga(a)urbantimes.net wrote:
> Here's what I get when I issued: netstat -nap
>
> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED
> 5226/ps x
> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED
> 5365/ps x
>
> About a hundred instances of that program 'ps x' running.
>
> Also here's what ps -ef produced:
>
> apache 6323 1 0 10:30 ? 00:00:00 ps x
> apache 6324 1 0 10:30 ? 00:00:00 ps x
> apache 6326 1 0 10:30 ? 00:00:00 ps x
> apache 6328 1 0 10:30 ? 00:00:00 ps x
> apache 6330 1 0 10:30 ? 00:00:00 ps x
The processes are owned by apache, so the chances are that there is a
security hole in the version of apache/httpd that you are using, or
perhaps more likely there are exploitable web pages somewhere on your
server (maybe a bulletin board like phpbb, or phpmyadmin).
I see that these things are talking to port 80, ie. probably a web server
on the remote site, so it could be getting commands from there or
attempting to spread further.
Your web logs may be able to tell you more.
Michael Young
--
fedora-list mailing list
fedora-list(a)redhat.com
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-list
Did ps -ef again. Here's what I got:
apache 1799 1 0 15:05 ? 00:00:00 httpd
apache 1801 1 0 15:05 ? 00:00:00 httpd
A LOT of these.
and when I did ls -l /proc/1801/exe:
lrwxrwxrwx 1 apache apache 0 Nov 16 15:05 /proc/1801/exe -> /usr/bin/perl
It looks like some kind of script is running.
Ok I ran the command: