TOP show httpd as exe
Dan Trainor - hostinthebox.net
info at hostinthebox.net
Thu Oct 7 10:57:29 UTC 2004
Franco -
You can try to find it in /proc. You can also use sockstat to check for
unusual socket connections.
Once I locate the actual binary, I run 'strings' against it and look for
anything unusual. Look for dirs named '...' and '....' in /var/tmp and
/tmp, as this is more than often a "starting point".
Please respond and share your findings with the group.
Thanks!
-dant
Franco wrote:
> Hi, i have an old redhat 9.0 update to the last release of RH,
> in some cases in the TOP i see httpd show as exe.
> I have read the it can be a virus or trojan but how i can do
> to now this and if so how can i delete it.
> I start chkrootkit and rkhunter on the server and seams that
> chkrootkit sometime tell me that i have hidden processes but
> not even, and rkhunter tell that is all ok.
> Any suggest?
>
More information about the users
mailing list