Hi, after i apply iptable to restrict access to the classic web server port and after to have blocked 210.169.91.66 that seams to be the ip from where someone use my server are 2 days that i don't see exe in the top.
Sockstat file tell me this: sockets: used 113 TCP: inuse 59 orphan 1 tw 63 alloc 65 mem 155 UDP: inuse 14 RAW: inuse 0 FRAG: inuse 0 memory 0
Strings don't know how it work. I know that when i see this exe in the TOP and i do lsof -p processnumber it show some lib file used and one file in the /tmp signed as deleted.
Dan Trainor - hostinthebox.net ha scritto:
Franco -
You can try to find it in /proc. You can also use sockstat to check for unusual socket connections.
Once I locate the actual binary, I run 'strings' against it and look for anything unusual. Look for dirs named '...' and '....' in /var/tmp and /tmp, as this is more than often a "starting point".
Please respond and share your findings with the group.
Thanks! -dant
Franco wrote:
Hi, i have an old redhat 9.0 update to the last release of RH, in some cases in the TOP i see httpd show as exe. I have read the it can be a virus or trojan but how i can do to now this and if so how can i delete it. I start chkrootkit and rkhunter on the server and seams that chkrootkit sometime tell me that i have hidden processes but not even, and rkhunter tell that is all ok. Any suggest?
