I found d0s3.txt in my /tmp dir. Not sure how it got there. Found this too: Here is the log file from error_log.1 --19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt => `d0s3.txt' Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done. Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 20,419 [text/plain] 0K .......... ......... 100% 74.68 KB/s 19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419] Not quite sure how this happened Mark Quoting Alexander Dalloz <ad+lists@xxxxxxxxx>: > Am Di, den 14.12.2004 schrieb mark@xxxxxxxxx um 0:00: > > > When I run: lsof -i |grep perl > > I get: > > > perl 4883 apache 124u IPv4 193039277 TCP > > onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED) > > > perl 17513 apache 124u IPv4 65252685 TCP > > oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED) > > > > So I have a connection to an irc daemon. > > You have two of them. Whether they are really irc connections can't be > said from that. The "ircd" comes from /etc/services and so port 6667 is > translated this way. But it is: > > Trying 12.5.48.98... > Connected to ftp.pqa.com. > Escape character is '^]'. > :Metallica.USA.GigaChat.net NOTICE AUTH :*** Looking up your hostname... > :Metallica.USA.GigaChat.net NOTICE AUTH :*** Found your hostname > (cached) > > > I have grepped the web content directory for ircd and not found anything. > > ps -ef |grep ircd gets nothing. > > I can imagine that this does not show something useful. I guess there > are cgi::irc webchat interfaces running. So check the content of cgi-bin > directories. These webchat things can consume large amounts of > resources. > > > I also cant seem to locate a perl script that is causing this. > > So can anyone offer some help here? How can I check this further. I want > to > > nail down the user ( web user I hope ) that is running this. > > So you have users allowed to run things on Apache? > > locate irc.cgi > > Maybe that shows you quickly the locations where the "bad" things are. > > > Mark > > Alexander > > > -- > Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 > legal statement: http://www.uni-x.org/legal.html > Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp > Serendipity 00:46:57 up 3 days, 19:27, load average: 0.48, 0.59, 0.73 > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
