On Thu, 2006-11-16 at 10:26 -0600, olga@xxxxxxxxxxxxxx wrote: > Hi, > > I wrote about kernel errors which somebody pointed out was because the > server was running out of memory. > > Now I found the following which makes me think that that server may have > been compromized. > > Here's what I get when I issued: netstat -nap > > tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps x > tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED 5365/ps x > > About a hundred instances of that program 'ps x' running. > > Also here's what ps -ef produced: > > apache 6323 1 0 10:30 ? 00:00:00 ps x > apache 6324 1 0 10:30 ? 00:00:00 ps x > apache 6326 1 0 10:30 ? 00:00:00 ps x > apache 6328 1 0 10:30 ? 00:00:00 ps x > apache 6330 1 0 10:30 ? 00:00:00 ps x What does ls -l /proc/6323/exe say? That would be a symlink to the executable for that process. Normal ps lives in /bin so the link should point at /bin/ps. If it is connecting out to a remote host, it's likely not the normal ps, just something that's masking itself to make it less likely to get picked up. -- David Hollis <dhollis@xxxxxxxxxxxxxx>
