possibly hacked - HELP
olga at urbantimes.net
olga at urbantimes.net
Thu Nov 16 21:56:56 UTC 2006
> On Thu, 2006-11-16 at 10:26 -0600, olga at urbantimes.net wrote:
>> Hi,
>>
>> I wrote about kernel errors which somebody pointed out was because the
>> server was running out of memory.
>>
>> Now I found the following which makes me think that that server may have
>> been compromized.
>>
>> Here's what I get when I issued: netstat -nap
>>
>> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED
>> 5226/ps x
>> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED
>> 5365/ps x
>>
>> About a hundred instances of that program 'ps x' running.
>>
>> Also here's what ps -ef produced:
>>
>> apache 6323 1 0 10:30 ? 00:00:00 ps x
>> apache 6324 1 0 10:30 ? 00:00:00 ps x
>> apache 6326 1 0 10:30 ? 00:00:00 ps x
>> apache 6328 1 0 10:30 ? 00:00:00 ps x
>> apache 6330 1 0 10:30 ? 00:00:00 ps x
>
> What does ls -l /proc/6323/exe say? That would be a symlink to the
> executable for that process. Normal ps lives in /bin so the link should
> point at /bin/ps. If it is connecting out to a remote host, it's likely
> not the normal ps, just something that's masking itself to make it less
> likely to get picked up.
>
> --
> David Hollis <dhollis at davehollis.com>
>
apache 3102 1 0 15:53 ? 00:00:00 httpd
apache 3104 1 0 15:53 ? 00:00:00 httpd
apache 3106 1 0 15:53 ? 00:00:00 httpd
apache 3108 1 0 15:53 ? 00:00:00 httpd
apache 3110 1 0 15:53 ? 00:00:00 httpd
apache 3112 1 0 15:53 ? 00:00:00 httpd
apache 3114 1 0 15:53 ? 00:00:00 httpd
apache 3116 1 0 15:53 ? 00:00:00 httpd
apache 3118 1 0 15:53 ? 00:00:00 httpd
apache 3120 1 0 15:53 ? 00:00:00 httpd
apache 3122 1 0 15:53 ? 00:00:00 httpd
apache 3125 1 0 15:54 ? 00:00:00 httpd
apache 3127 1 0 15:54 ? 00:00:00 httpd
apache 3129 1 0 15:54 ? 00:00:00 httpd
apache 3131 1 0 15:54 ? 00:00:00 httpd
apache 3133 1 0 15:54 ? 00:00:00 httpd
apache 3135 1 0 15:54 ? 00:00:00 httpd
apache 3137 1 0 15:54 ? 00:00:00 httpd
apache 3139 1 0 15:54 ? 00:00:00 httpd
apache 3141 1 0 15:54 ? 00:00:00 httpd
apache 3143 1 0 15:54 ? 00:00:00 httpd
apache 3145 1 0 15:54 ? 00:00:00 httpd
apache 3639 1 0 15:57 ? 00:00:00 ps x
apache 3642 1 0 15:57 ? 00:00:00 ps x
apache 3645 1 0 15:58 ? 00:00:00 ps x
apache 3647 1 0 15:58 ? 00:00:00 ps x
I am getting a ton of these...
Here's what ls -l /proc/3147/exe says
lrwxrwxrwx 1 apache apache 0 Nov 16 15:56 /proc/3147/exe ->
/usr/bin/perl
When I do netstat -nap I get:
tcp 0 0 131.x.x.x:44160 72.14.x.x:80 ESTABLISHED -
tcp 0 0 131.x.x.x:44161 72.14.x.x:80 ESTABLISHED -
tcp 0 0 131.x.x.x:44162 72.14.x.x:80 ESTABLISHED -
The ip points to google...
And these appeared in the /tmp folder:
drwxrwxrwt 8 root root 4096 Nov 16 16:00 .
drwxr-xr-x 23 root root 4096 Nov 16 14:35 ..
srwx------ 1 root nobody 0 Nov 16 14:36 .fam_socket
drwxrwxrwt 2 xfs xfs 4096 Nov 16 14:35 .font-unix
srw-rw-rw- 1 root root 0 Nov 16 14:36 .gdm_socket
-rw-r--r-- 1 apache apache 0 Nov 15 15:20 .httpd
drwxrwxrwt 2 root root 4096 Nov 16 14:36 .ICE-unix
drwx------ 2 root root 4096 Nov 16 14:59 mc-root
drwx------ 2 root root 12288 Nov 16 15:16 orbit-root
-rw-r--r-- 1 apache apache 0 Nov 16 15:58
sess_azx3a4wq3x1f2aad4a34sxx1w2o52a45
-rw-r--r-- 1 apache apache 11669 Nov 16 15:43
sess_rdav631df3a1ddfaa34s1x1wwo521459
-r--r--r-- 1 root root 11 Nov 16 14:36 .X0-lock
drwxrwxrwt 2 root root 4096 Nov 16 14:36 .X11-unix
What is going on?
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
>
More information about the users
mailing list