possibly hacked
olga at urbantimes.net
olga at urbantimes.net
Thu Nov 16 21:15:30 UTC 2006
> On Thu, 16 Nov 2006 olga at urbantimes.net wrote:
>
>> Here's what I get when I issued: netstat -nap
>>
>> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED
>> 5226/ps x
>> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED
>> 5365/ps x
>>
>> About a hundred instances of that program 'ps x' running.
>>
>> Also here's what ps -ef produced:
>>
>> apache 6323 1 0 10:30 ? 00:00:00 ps x
>> apache 6324 1 0 10:30 ? 00:00:00 ps x
>> apache 6326 1 0 10:30 ? 00:00:00 ps x
>> apache 6328 1 0 10:30 ? 00:00:00 ps x
>> apache 6330 1 0 10:30 ? 00:00:00 ps x
>
> The processes are owned by apache, so the chances are that there is a
> security hole in the version of apache/httpd that you are using, or
> perhaps more likely there are exploitable web pages somewhere on your
> server (maybe a bulletin board like phpbb, or phpmyadmin).
> I see that these things are talking to port 80, ie. probably a web server
> on the remote site, so it could be getting commands from there or
> attempting to spread further.
> Your web logs may be able to tell you more.
>
> Michael Young
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
>
Did ps -ef again. Here's what I got:
apache 1799 1 0 15:05 ? 00:00:00 httpd
apache 1801 1 0 15:05 ? 00:00:00 httpd
A LOT of these.
and when I did ls -l /proc/1801/exe:
lrwxrwxrwx 1 apache apache 0 Nov 16 15:05 /proc/1801/exe -> /usr/bin/perl
It looks like some kind of script is running.
Ok I ran the command:
More information about the users
mailing list