Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 16 Nov 2006 olga@xxxxxxxxxxxxxx wrote:

> Here's what I get when I issued: netstat -nap
>
> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED 5226/ps x
> tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED 5365/ps x
>
> About a hundred instances of that program 'ps x' running.
>
> Also here's what ps -ef produced:
>
> apache    6323     1  0 10:30 ?        00:00:00 ps x
> apache    6324     1  0 10:30 ?        00:00:00 ps x
> apache    6326     1  0 10:30 ?        00:00:00 ps x
> apache    6328     1  0 10:30 ?        00:00:00 ps x
> apache    6330     1  0 10:30 ?        00:00:00 ps x

The processes are owned by apache, so the chances are that there is a
security hole in the version of apache/httpd that you are using, or
perhaps more likely there are exploitable web pages somewhere on your
server (maybe a bulletin board like phpbb, or phpmyadmin).
I see that these things are talking to port 80, ie. probably a web server
on the remote site, so it could be getting commands from there or
attempting to spread further.
Your web logs may be able to tell you more.

	Michael Young


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux