On Thu, 2006-11-16 at 10:26 -0600, olga(a)urbantimes.net wrote:
Hi,
I wrote about kernel errors which somebody pointed out was because the
server was running out of memory.
Now I found the following which makes me think that that server may have
been compromized.
Here's what I get when I issued: netstat -nap
tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps x
tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED 5365/ps x
About a hundred instances of that program 'ps x' running.
Also here's what ps -ef produced:
apache 6323 1 0 10:30 ? 00:00:00 ps x
apache 6324 1 0 10:30 ? 00:00:00 ps x
apache 6326 1 0 10:30 ? 00:00:00 ps x
apache 6328 1 0 10:30 ? 00:00:00 ps x
apache 6330 1 0 10:30 ? 00:00:00 ps x
What does ls -l /proc/6323/exe say? That would be a symlink to the
executable for that process. Normal ps lives in /bin so the link should
point at /bin/ps. If it is connecting out to a remote host, it's likely
not the normal ps, just something that's masking itself to make it less
likely to get picked up.
--
David Hollis <dhollis(a)davehollis.com>