possibly hacked

olga at urbantimes.net olga at urbantimes.net
Thu Nov 16 21:15:30 UTC 2006


> On Thu, 16 Nov 2006 olga at urbantimes.net wrote:
>
>> Here's what I get when I issued: netstat -nap
>>
>> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED
>> 5226/ps x
>> tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED
>> 5365/ps x
>>
>> About a hundred instances of that program 'ps x' running.
>>
>> Also here's what ps -ef produced:
>>
>> apache    6323     1  0 10:30 ?        00:00:00 ps x
>> apache    6324     1  0 10:30 ?        00:00:00 ps x
>> apache    6326     1  0 10:30 ?        00:00:00 ps x
>> apache    6328     1  0 10:30 ?        00:00:00 ps x
>> apache    6330     1  0 10:30 ?        00:00:00 ps x
>
> The processes are owned by apache, so the chances are that there is a
> security hole in the version of apache/httpd that you are using, or
> perhaps more likely there are exploitable web pages somewhere on your
> server (maybe a bulletin board like phpbb, or phpmyadmin).
> I see that these things are talking to port 80, ie. probably a web server
> on the remote site, so it could be getting commands from there or
> attempting to spread further.
> Your web logs may be able to tell you more.
>
> 	Michael Young
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
>

Did ps -ef again. Here's what I got:
apache  1799   1  0  15:05 ? 00:00:00 httpd
apache  1801   1  0  15:05 ? 00:00:00 httpd

A LOT of these.

and when I did ls -l /proc/1801/exe:

lrwxrwxrwx   1 apache apache  0 Nov 16 15:05 /proc/1801/exe -> /usr/bin/perl

It looks like some kind of script is running.


Ok I ran the command:








More information about the users mailing list