On Thu, 16 Nov 2006 10:26:20 -0600, olga wrote: > Hi, > > I wrote about kernel errors which somebody pointed out was because the > server was running out of memory. > > Now I found the following which makes me think that that server may have > been compromized. > > Here's what I get when I issued: netstat -nap > > tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps x > tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED 5365/ps x > > About a hundred instances of that program 'ps x' running. > It's strange that your ps is talking over the network with a web server. That ain't no ordinary ps. And their web server (on port 80) ain't no ordinary web server. So yeah, it's possible that "you've been had" as they say. It may be that they are scanning other networks for vulnerabilities, trying to berak in, and they replaced the clean netstat with something that simply reports what you posted. It did happen to me once. If you want to know what your ps and the remote machine are talking about, you can run wireshark (formerly known as ethereal) and look at the packets. Of course, you should do so on a machine known not to be compromised. On the machine you suspect it has been hacked, you cannot trust any program. And often if you do a portscan on the suspected attacker (e.g. with nmap, or xnmap), or even if you simply open the web page at that address, you may find out what's going on. If you can, unplug the network wire (though if they know what they are doing, your hard drive might be wiped off when their scripts detect that the network is down. It's your call.). Run rpm -V from a rescue cd (not the one in /usr/bin) on procps, net-tools, and the other essential system utilities (including rpm itself). Then you'll know for sure.
