> On Thu, 16 Nov 2006 olga@xxxxxxxxxxxxxx wrote: > >> Here's what I get when I issued: netstat -nap >> >> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED >> 5226/ps x >> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED >> 5365/ps x >> >> About a hundred instances of that program 'ps x' running. >> >> Also here's what ps -ef produced: >> >> apache 6323 1 0 10:30 ? 00:00:00 ps x >> apache 6324 1 0 10:30 ? 00:00:00 ps x >> apache 6326 1 0 10:30 ? 00:00:00 ps x >> apache 6328 1 0 10:30 ? 00:00:00 ps x >> apache 6330 1 0 10:30 ? 00:00:00 ps x > > The processes are owned by apache, so the chances are that there is a > security hole in the version of apache/httpd that you are using, or > perhaps more likely there are exploitable web pages somewhere on your > server (maybe a bulletin board like phpbb, or phpmyadmin). > I see that these things are talking to port 80, ie. probably a web server > on the remote site, so it could be getting commands from there or > attempting to spread further. > Your web logs may be able to tell you more. > > Michael Young > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > > Did ps -ef again. Here's what I got: apache 1799 1 0 15:05 ? 00:00:00 httpd apache 1801 1 0 15:05 ? 00:00:00 httpd A LOT of these. and when I did ls -l /proc/1801/exe: lrwxrwxrwx 1 apache apache 0 Nov 16 15:05 /proc/1801/exe -> /usr/bin/perl It looks like some kind of script is running. Ok I ran the command: