On Thu, 16 Nov 2006 olga@xxxxxxxxxxxxxx wrote: > Here's what I get when I issued: netstat -nap > > tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps x > tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED 5365/ps x > > About a hundred instances of that program 'ps x' running. > > Also here's what ps -ef produced: > > apache 6323 1 0 10:30 ? 00:00:00 ps x > apache 6324 1 0 10:30 ? 00:00:00 ps x > apache 6326 1 0 10:30 ? 00:00:00 ps x > apache 6328 1 0 10:30 ? 00:00:00 ps x > apache 6330 1 0 10:30 ? 00:00:00 ps x The processes are owned by apache, so the chances are that there is a security hole in the version of apache/httpd that you are using, or perhaps more likely there are exploitable web pages somewhere on your server (maybe a bulletin board like phpbb, or phpmyadmin). I see that these things are talking to port 80, ie. probably a web server on the remote site, so it could be getting commands from there or attempting to spread further. Your web logs may be able to tell you more. Michael Young
