Are you using php on that server ? If yes, grep the root for "eval", it could be an UDP flood backdoor.
Here is the ps aufx result... (a bit long....)
Nico
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 2 0.0 0.0 0 0 ? S 2013 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 2013 0:07 \_ [migration/0]
root 4 0.0 0.0 0 0 ? S 2013 0:24 \_ [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S 2013 0:00 \_ [watchdog/0]
root 6 0.0 0.0 0 0 ? S 2013 0:07 \_ [migration/1]
root 7 0.0 0.0 0 0 ? S 2013 0:05 \_ [ksoftirqd/1]
root 8 0.0 0.0 0 0 ? S 2013 0:00 \_ [watchdog/1]
root 9 0.0 0.0 0 0 ? S 2013 0:13 \_ [migration/2]
root 10 0.0 0.0 0 0 ? S 2013 0:03 \_ [ksoftirqd/2]
root 11 0.0 0.0 0 0 ? S 2013 0:00 \_ [watchdog/2]
root 12 0.0 0.0 0 0 ? S 2013 0:14 \_ [migration/3]
root 13 0.0 0.0 0 0 ? S 2013 0:02 \_ [ksoftirqd/3]
root 14 0.0 0.0 0 0 ? S 2013 0:00 \_ [watchdog/3]
root 15 0.0 0.0 0 0 ? S 2013 5:08 \_ [events/0]
root 16 0.0 0.0 0 0 ? S 2013 0:29 \_ [events/1]
root 17 0.0 0.0 0 0 ? S 2013 0:24 \_ [events/2]
root 18 0.0 0.0 0 0 ? S 2013 0:27 \_ [events/3]
root 19 0.0 0.0 0 0 ? S 2013 0:00 \_ [cpuset]
root 20 0.0 0.0 0 0 ? S 2013 0:00 \_ [khelper]
root 21 0.0 0.0 0 0 ? S 2013 0:00 \_ [netns]
root 22 0.0 0.0 0 0 ? S 2013 0:00 \_ [async/mgr]
root 23 0.0 0.0 0 0 ? S 2013 0:00 \_ [pm]
root 24 0.0 0.0 0 0 ? S 2013 0:04 \_ [sync_supers]
root 25 0.0 0.0 0 0 ? S 2013 0:05 \_ [bdi-default]
root 26 0.0 0.0 0 0 ? S 2013 0:00 \_ [kintegrityd/0]
root 27 0.0 0.0 0 0 ? S 2013 0:00 \_ [kintegrityd/1]
root 28 0.0 0.0 0 0 ? S 2013 0:00 \_ [kintegrityd/2]
root 29 0.0 0.0 0 0 ? S 2013 0:00 \_ [kintegrityd/3]
root 30 0.0 0.0 0 0 ? S 2013 2:36 \_ [kblockd/0]
root 31 0.0 0.0 0 0 ? S 2013 0:03 \_ [kblockd/1]
root 32 0.0 0.0 0 0 ? S 2013 0:03 \_ [kblockd/2]
root 33 0.0 0.0 0 0 ? S 2013 0:02 \_ [kblockd/3]
root 34 0.0 0.0 0 0 ? S 2013 0:00 \_ [kacpid]
root 35 0.0 0.0 0 0 ? S 2013 0:00 \_ [kacpi_notify]
root 36 0.0 0.0 0 0 ? S 2013 0:00 \_ [kacpi_hotplug]
root 37 0.0 0.0 0 0 ? S 2013 0:00 \_ [kseriod]
root 42 0.0 0.0 0 0 ? S 2013 0:00 \_ [kondemand/0]
root 43 0.0 0.0 0 0 ? S 2013 0:00 \_ [kondemand/1]
root 44 0.0 0.0 0 0 ? S 2013 0:00 \_ [kondemand/2]
root 45 0.0 0.0 0 0 ? S 2013 0:00 \_ [kondemand/3]
root 46 0.0 0.0 0 0 ? S 2013 0:02 \_ [khungtaskd]
root 47 0.0 0.0 0 0 ? S 2013 13:20 \_ [kswapd0]
root 48 0.0 0.0 0 0 ? SN 2013 0:00 \_ [ksmd]
root 49 0.0 0.0 0 0 ? S 2013 0:00 \_ [aio/0]
root 50 0.0 0.0 0 0 ? S 2013 0:00 \_ [aio/1]
root 51 0.0 0.0 0 0 ? S 2013 0:00 \_ [aio/2]
root 52 0.0 0.0 0 0 ? S 2013 0:00 \_ [aio/3]
root 53 0.0 0.0 0 0 ? S 2013 0:00 \_ [crypto/0]
root 54 0.0 0.0 0 0 ? S 2013 0:00 \_ [crypto/1]
root 55 0.0 0.0 0 0 ? S 2013 0:00 \_ [crypto/2]
root 56 0.0 0.0 0 0 ? S 2013 0:00 \_ [crypto/3]
root 229 0.0 0.0 0 0 ? S 2013 0:00 \_ [ksuspend_usbd]
root 231 0.0 0.0 0 0 ? S 2013 0:00 \_ [khubd]
root 291 0.0 0.0 0 0 ? S 2013 0:00 \_ [ata/0]
root 292 0.0 0.0 0 0 ? S 2013 0:00 \_ [ata/1]
root 293 0.0 0.0 0 0 ? S 2013 0:00 \_ [ata/2]
root 294 0.0 0.0 0 0 ? S 2013 0:00 \_ [ata/3]
root 295 0.0 0.0 0 0 ? S 2013 0:00 \_ [ata_aux]
root 296 0.0 0.0 0 0 ? S 2013 0:00 \_ [scsi_eh_0]
root 297 0.0 0.0 0 0 ? S 2013 0:00 \_ [scsi_eh_1]
root 298 0.0 0.0 0 0 ? S 2013 0:00 \_ [scsi_eh_2]
root 301 0.0 0.0 0 0 ? S 2013 0:00 \_ [scsi_eh_3]
root 302 0.0 0.0 0 0 ? S 2013 0:00 \_ [scsi_eh_4]
root 321 0.0 0.0 0 0 ? S 2013 0:00 \_ [usbhid_resumer]
root 378 0.0 0.0 0 0 ? S 2013 22:56 \_ [kjournald]
root 820 0.0 0.0 0 0 ? S 2013 14:31 \_ [flush-8:0]
root 822 0.0 0.0 0 0 ? S 2013 0:28 \_ [flush-8:16]
root 1057 0.0 0.0 0 0 ? S 2013 2:43 \_ [kjournald]
root 1058 0.0 0.0 0 0 ? S 2013 0:20 \_ [kjournald]
root 1059 0.0 0.0 0 0 ? S 2013 1:23 \_ [kjournald]
root 11015 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/0]
root 11017 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/1]
root 11018 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/2]
root 11019 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/3]
root 11022 0.0 0.0 0 0 ? S< 2013 0:00 \_ [kslowd000]
root 11023 0.0 0.0 0 0 ? S< 2013 0:00 \_ [kslowd001]
root 11024 0.0 0.0 0 0 ? S 2013 0:00 \_ [nfsiod]
root 1 0.0 0.0 8352 620 ? Ss 2013 0:25 init [2]
daemon 1396 0.0 0.0 18708 276 ? Ss 2013 0:00 /usr/sbin/atd
root 1734 0.0 0.0 3952 436 ? S 2013 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 7054 0.0 1.4 403444 57200 ? Sl 2013 42:41 \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysql
d.sock --port=3306
root 7055 0.0 0.0 3852 532 ? S 2013 0:00 \_ logger -t mysqld -p daemon.error
postgrey 1926 0.0 0.0 58256 1308 ? Ss 2013 0:00 /usr/sbin/postgrey --pidfile=/var/run/postgrey.pid --daemonize --inet=60000
root 2217 0.0 0.0 5928 488 tty2 Ss+ 2013 0:00 /sbin/getty 38400 tty2
root 2218 0.0 0.0 5928 488 tty3 Ss+ 2013 0:00 /sbin/getty 38400 tty3
root 2219 0.0 0.0 5928 488 tty4 Ss+ 2013 0:00 /sbin/getty 38400 tty4
root 2220 0.0 0.0 5928 488 tty5 Ss+ 2013 0:00 /sbin/getty 38400 tty5
root 2221 0.0 0.0 5928 488 tty6 Ss+ 2013 0:00 /sbin/getty 38400 tty6
root 3177 0.0 0.0 5928 488 tty1 Ss+ 2013 0:00 /sbin/getty 38400 tty1
root 8777 0.0 0.0 70456 2932 ? Ss 11:47 0:00 sshd: root@pts/0
root 8779 0.0 0.0 19404 2064 pts/0 Ss 11:47 0:00 \_ -bash
root 19895 0.0 0.0 42536 3428 pts/0 S+ 14:35 0:00 \_ mc
root 19898 0.0 0.0 19288 1960 pts/2 Ss+ 14:35 0:00 \_ bash -rcfile .bashrc
root 11242 0.0 0.0 70488 3028 ? Ss 12:38 0:00 sshd: root@pts/1
root 11290 0.0 0.0 19292 1956 pts/1 Ss 12:38 0:00 \_ -bash
root 2565 0.0 0.0 16444 1160 pts/1 R+ 15:15 0:00 \_ ps auxf
root 2566 0.0 0.0 128 4 pts/1 D+ 15:15 0:00 \_ [more]
root 11619 0.0 0.0 49072 1444 ? Ss 12:39 0:00 /usr/sbin/sshd
root 12501 0.0 0.0 22420 1000 ? Ss 12:41 0:00 /usr/sbin/cron
root 12774 0.0 0.0 37168 2392 ? Ss 12:41 0:04 /usr/lib/postfix/master
postfix 12795 0.0 0.0 39488 2700 ? S 12:41 0:01 \_ qmgr -l -t fifo -u -c
postfix 12796 0.0 0.0 39356 2520 ? S 12:41 0:03 \_ trivial-rewrite -n rewrite -t unix -u -c
postfix 12811 0.0 0.0 39364 2520 ? S 12:41 0:00 \_ anvil -l -t unix -u -c
postfix 15272 0.0 0.0 52680 3424 ? S 12:44 0:03 \_ proxymap -t unix -u
postfix 14550 0.0 0.0 39232 2324 ? S 14:21 0:00 \_ pickup -l -t fifo -u -c
postfix 26350 0.0 0.0 52560 3372 ? S 14:52 0:00 \_ virtual -t unix
postfix 26352 0.0 0.0 52560 3376 ? S 14:52 0:00 \_ virtual -t unix
postfix 26353 0.0 0.0 52560 3376 ? S 14:52 0:00 \_ virtual -t unix
postfix 27059 0.0 0.0 46020 3500 ? S 14:54 0:00 \_ smtpd -n smtp -t inet -u -c -o stress=
postfix 27060 0.0 0.0 46020 3508 ? S 14:54 0:00 \_ smtpd -n smtp -t inet -u -c -o stress=
postfix 27084 0.0 0.0 46020 3504 ? S 14:54 0:00 \_ smtpd -n smtp -t inet -u -c -o stress=
postfix 27555 0.0 0.0 46020 3508 ? S 14:55 0:00 \_ smtpd -n smtp -t inet -u -c -o stress=
postfix 27559 0.0 0.0 46020 3496 ? S 14:55 0:00 \_ smtpd -n smtp -t inet -u -c -o stress=
postfix 27875 0.0 0.0 52560 3376 ? S 14:56 0:00 \_ virtual -t unix
postfix 27893 0.0 0.0 52560 3376 ? S 14:56 0:00 \_ virtual -t unix
postfix 29988 0.0 0.0 52560 3372 ? S 15:02 0:00 \_ virtual -t unix
nobody 31402 0.0 0.0 52560 3368 ? S 15:06 0:00 \_ virtual -t unix
postfix 31405 0.0 0.0 39264 2404 ? S 15:06 0:00 \_ bounce -z -n defer -t unix -u -c
postfix 31406 0.0 0.0 52560 3368 ? S 15:06 0:00 \_ virtual -t unix
postfix 329 0.1 0.0 43640 2700 ? S 15:09 0:00 \_ cleanup -z -t unix -u -c
postfix 1080 0.0 0.0 43520 2732 ? S 15:11 0:00 \_ smtp -t unix -u -c
postfix 1275 0.0 0.0 52560 3364 ? S 15:12 0:00 \_ virtual -t unix
postfix 1277 0.0 0.0 52560 3368 ? S 15:12 0:00 \_ virtual -t unix
nobody 1278 0.0 0.0 52560 3368 ? S 15:12 0:00 \_ virtual -t unix
postfix 1281 0.0 0.0 52560 3368 ? S 15:12 0:00 \_ virtual -t unix
postfix 1283 0.0 0.0 52560 3368 ? S 15:12 0:00 \_ virtual -t unix
postfix 1293 0.0 0.0 52560 3364 ? S 15:12 0:00 \_ virtual -t unix
postfix 1653 0.0 0.0 52652 3352 ? S 15:13 0:00 \_ proxymap -t unix -u
postfix 2270 0.0 0.0 43640 2692 ? S 15:15 0:00 \_ cleanup -z -t unix -u -c
postfix 2354 0.0 0.0 39244 2404 ? S 15:15 0:00 \_ trivial-rewrite -n rewrite -t unix -u -c
postfix 2364 0.0 0.0 39236 2420 ? S 15:15 0:00 \_ pipe -n yaa -t unix user=nobody argv=/home/yaa-0.3/bin/yaa.pl -c /home/yaa-0.3/conf/yaa.conf
postfix 2530 0.0 0.0 39264 2444 ? S 15:15 0:00 \_ bounce -z -t unix -u -c
root 12951 0.2 0.0 39408 1256 ? Ss 12:41 0:20 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
root 12953 0.0 0.0 75360 3596 ? S 12:41 0:06 \_ dovecot-auth
root 12970 0.0 0.0 75036 3424 ? S 12:41 0:04 \_ dovecot-auth -w
root 13008 0.0 0.0 75036 3428 ? S 12:41 0:00 \_ dovecot-auth -w
nobody 13113 0.0 0.0 34716 2276 ? S 12:41 0:01 \_ imap
dovecot 13722 0.0 0.0 36924 2860 ? S 12:42 0:00 \_ imap-login
nobody 13724 0.0 0.0 31628 2076 ? S 12:42 0:00 \_ imap
dovecot 13730 0.0 0.0 36924 2860 ? S 12:42 0:00 \_ imap-login
nobody 13736 0.0 0.0 31600 2012 ? S 12:42 0:00 \_ imap
nobody 14409 0.0 0.0 32000 1964 ? S 12:43 0:00 \_ imap
dovecot 14560 0.0 0.0 36924 2860 ? S 12:43 0:00 \_ imap-login
nobody 14568 0.0 0.0 31452 1724 ? S 12:43 0:00 \_ imap
nobody 15212 0.0 0.0 31548 1872 ? S 12:44 0:00 \_ imap
nobody 15213 0.0 0.0 31748 1928 ? S 12:44 0:00 \_ imap
nobody 15214 0.0 0.0 31548 1872 ? S 12:44 0:00 \_ imap
nobody 15234 0.0 0.0 31452 1872 ? S 12:44 0:00 \_ imap
nobody 15235 0.0 0.0 31652 1744 ? S 12:44 0:00 \_ imap
nobody 15236 0.0 0.0 31748 1960 ? S 12:44 0:00 \_ imap
nobody 15237 0.0 0.0 31460 1764 ? S 12:44 0:00 \_ imap
nobody 15239 0.0 0.0 31552 1904 ? S 12:44 0:00 \_ imap
nobody 15255 0.0 0.0 31552 1872 ? S 12:44 0:00 \_ imap
nobody 15262 0.0 0.0 31548 1872 ? S 12:44 0:00 \_ imap
nobody 15301 0.0 0.0 32132 2136 ? S 12:44 0:00 \_ imap
dovecot 17060 0.0 0.0 36924 2872 ? S 12:48 0:00 \_ imap-login
nobody 17229 0.0 0.0 31576 1796 ? S 12:49 0:00 \_ imap
dovecot 17405 0.0 0.0 36924 2872 ? S 12:49 0:00 \_ imap-login
nobody 17430 0.0 0.0 31464 1768 ? S 12:49 0:00 \_ imap
dovecot 17433 0.0 0.0 36924 2868 ? S 12:49 0:00 \_ imap-login
nobody 17470 0.0 0.0 32892 2160 ? S 12:49 0:00 \_ imap
dovecot 17942 0.0 0.0 36924 2860 ? S 12:50 0:00 \_ imap-login
dovecot 18162 0.0 0.0 36924 2864 ? S 12:51 0:00 \_ imap-login
nobody 18221 0.0 0.0 31436 1708 ? S 12:51 0:00 \_ imap
nobody 18230 0.0 0.0 31436 1712 ? S 12:51 0:00 \_ imap
nobody 21297 0.0 0.0 31448 1764 ? S 13:00 0:00 \_ imap
nobody 4975 0.0 0.0 31436 1772 ? S 13:39 0:00 \_ imap
nobody 6722 0.0 0.0 31552 1808 ? S 13:44 0:00 \_ imap
dovecot 8972 0.0 0.0 36924 2872 ? S 13:50 0:00 \_ imap-login
nobody 9071 0.0 0.0 31576 1800 ? S 13:50 0:00 \_ imap
dovecot 12712 0.0 0.0 36924 2868 ? S 13:56 0:00 \_ imap-login
nobody 12773 0.0 0.0 31628 2100 ? S 13:56 0:00 \_ imap
dovecot 12837 0.0 0.0 36924 2868 ? S 13:57 0:00 \_ imap-login
nobody 12846 0.0 0.0 31528 1772 ? S 13:57 0:00 \_ imap
dovecot 13628 0.0 0.0 36924 2872 ? S 13:58 0:00 \_ imap-login
nobody 13870 0.0 0.0 31588 1908 ? S 13:59 0:00 \_ imap
nobody 14038 0.0 0.0 31628 1912 ? S 13:59 0:00 \_ imap
nobody 10488 0.0 0.0 31560 1788 ? S 14:11 0:00 \_ imap
nobody 10489 0.0 0.0 31436 1772 ? S 14:11 0:00 \_ imap
dovecot 11595 0.0 0.0 36924 2868 ? S 14:14 0:00 \_ imap-login
nobody 11685 0.0 0.0 31688 2100 ? S 14:14 0:00 \_ imap
nobody 13123 0.0 0.0 31444 1732 ? S 14:18 0:00 \_ imap
nobody 13124 0.0 0.0 31436 1504 ? S 14:18 0:00 \_ imap
nobody 13132 0.0 0.0 31436 1496 ? S 14:18 0:00 \_ imap
dovecot 15806 0.0 0.0 36924 2872 ? S 14:24 0:00 \_ imap-login
dovecot 15900 0.0 0.0 36924 2868 ? S 14:25 0:00 \_ imap-login
dovecot 16115 0.0 0.0 36924 2872 ? S 14:25 0:00 \_ imap-login
nobody 16131 0.0 0.0 32080 2300 ? S 14:25 0:00 \_ imap
nobody 16132 0.0 0.0 31780 2116 ? S 14:25 0:00 \_ imap
nobody 16133 0.0 0.0 31840 2028 ? S 14:25 0:00 \_ imap
dovecot 16135 0.0 0.0 36924 2868 ? S 14:25 0:00 \_ imap-login
nobody 16140 0.0 0.0 31804 2096 ? S 14:25 0:00 \_ imap
dovecot 16237 0.0 0.0 36924 2868 ? S 14:26 0:00 \_ imap-login
nobody 16300 0.0 0.0 31568 1796 ? S 14:26 0:00 \_ imap
dovecot 16493 0.0 0.0 36924 2872 ? S 14:26 0:00 \_ imap-login
nobody 16515 0.0 0.0 32240 2568 ? S 14:26 0:00 \_ imap
nobody 16571 0.0 0.0 31436 1732 ? S 14:27 0:00 \_ imap
dovecot 19937 0.0 0.0 36924 2872 ? S 14:35 0:00 \_ imap-login
dovecot 19938 0.0 0.0 36924 2872 ? S 14:35 0:00 \_ imap-login
nobody 19978 0.0 0.0 31568 1852 ? S 14:35 0:00 \_ imap
nobody 19979 0.0 0.0 31636 2020 ? S 14:35 0:00 \_ imap
dovecot 20409 0.0 0.0 36924 2872 ? S 14:37 0:00 \_ imap-login
nobody 20496 0.0 0.0 31540 1856 ? S 14:37 0:00 \_ imap
nobody 21115 0.0 0.0 31464 1892 ? S 14:38 0:00 \_ imap
nobody 22457 0.0 0.0 31444 1732 ? S 14:42 0:00 \_ imap
dovecot 22902 0.0 0.0 36924 2872 ? S 14:43 0:00 \_ imap-login
dovecot 23137 0.0 0.0 36924 2868 ? S 14:43 0:00 \_ imap-login
nobody 23187 0.0 0.0 31540 1772 ? S 14:43 0:00 \_ imap
nobody 23203 0.0 0.0 32056 2020 ? S 14:43 0:00 \_ imap
dovecot 23235 0.0 0.0 36924 2868 ? S 14:44 0:00 \_ imap-login
nobody 23246 0.0 0.0 31780 1964 ? S 14:44 0:00 \_ imap
nobody 23851 0.0 0.0 31656 1772 ? S 14:45 0:00 \_ imap
nobody 23852 0.0 0.0 31796 2032 ? S 14:45 0:00 \_ imap
nobody 24008 0.0 0.0 31800 2092 ? S 14:46 0:00 \_ imap
nobody 24182 0.0 0.0 31804 1948 ? S 14:46 0:00 \_ imap
dovecot 24569 0.0 0.0 36924 2872 ? S 14:47 0:00 \_ imap-login
nobody 24571 0.0 0.0 32176 2048 ? S 14:47 0:00 \_ imap
nobody 25066 0.0 0.0 31608 1904 ? S 14:48 0:00 \_ imap
dovecot 25117 0.0 0.0 36924 2864 ? S 14:48 0:00 \_ imap-login
nobody 25161 0.0 0.0 33656 2116 ? S 14:48 0:00 \_ imap
nobody 25399 0.0 0.0 31456 1780 ? S 14:49 0:00 \_ imap
nobody 25440 0.0 0.0 31640 1768 ? S 14:49 0:00 \_ imap
dovecot 25553 0.0 0.0 36924 2860 ? S 14:49 0:00 \_ imap-login
nobody 25565 0.0 0.0 33672 2168 ? S 14:49 0:00 \_ imap
nobody 27198 0.0 0.0 31620 1952 ? S 14:54 0:00 \_ imap
nobody 28153 0.0 0.0 31464 1792 ? S 14:57 0:00 \_ imap
nobody 28255 0.0 0.0 32300 2028 ? S 14:57 0:00 \_ imap
dovecot 29387 0.0 0.0 36924 2864 ? S 15:00 0:00 \_ imap-login
dovecot 29432 0.0 0.0 36924 2860 ? S 15:00 0:00 \_ imap-login
nobody 29468 0.0 0.0 31460 1764 ? S 15:00 0:00 \_ imap
nobody 29519 0.0 0.0 31436 1684 ? S 15:00 0:00 \_ imap
dovecot 29528 0.0 0.0 36924 2860 ? S 15:00 0:00 \_ imap-login
nobody 29586 0.0 0.0 31436 1500 ? S 15:00 0:00 \_ imap
nobody 29680 0.0 0.0 31588 1880 ? S 15:01 0:00 \_ imap
nobody 29704 0.0 0.0 31736 2144 ? S 15:01 0:00 \_ imap
nobody 29843 0.0 0.0 31448 1796 ? S 15:01 0:00 \_ imap
nobody 29876 0.0 0.0 31456 1808 ? S 15:01 0:00 \_ imap
nobody 30077 0.0 0.0 32720 2084 ? S 15:02 0:00 \_ imap
nobody 30153 0.0 0.0 31616 1924 ? S 15:02 0:00 \_ imap
nobody 30652 0.0 0.0 31640 1768 ? S 15:04 0:00 \_ imap
nobody 30660 0.0 0.0 31656 1784 ? S 15:04 0:00 \_ imap
dovecot 30851 0.0 0.0 36924 2872 ? S 15:04 0:00 \_ imap-login
dovecot 30978 0.0 0.0 36924 2868 ? S 15:05 0:00 \_ imap-login
dovecot 30991 0.0 0.0 36924 2868 ? S 15:05 0:00 \_ imap-login
nobody 31011 0.0 0.0 31436 1756 ? S 15:05 0:00 \_ imap
nobody 31035 0.0 0.0 31436 1716 ? S 15:05 0:00 \_ imap
dovecot 31438 0.0 0.0 36912 2840 ? S 15:06 0:00 \_ pop3-login
nobody 31466 0.0 0.0 31408 1708 ? S 15:06 0:00 \_ pop3
dovecot 31638 0.0 0.0 36924 2860 ? S 15:07 0:00 \_ imap-login
nobody 31658 0.0 0.0 31436 1448 ? S 15:07 0:00 \_ imap
nobody 31721 0.0 0.0 31640 2092 ? S 15:07 0:00 \_ imap
nobody 31723 0.0 0.0 31716 2032 ? S 15:07 0:00 \_ pop3
nobody 31820 0.0 0.0 31560 1960 ? S 15:07 0:00 \_ pop3
dovecot 31872 0.0 0.0 36924 2872 ? S 15:07 0:00 \_ imap-login
nobody 31873 0.0 0.0 31708 1928 ? S 15:07 0:00 \_ imap
nobody 31879 0.0 0.0 32780 2072 ? S 15:07 0:00 \_ imap
nobody 32462 0.0 0.0 32276 2436 ? S 15:08 0:00 \_ pop3
nobody 32463 0.0 0.0 32304 2036 ? S 15:08 0:00 \_ imap
nobody 32464 0.0 0.0 31464 1792 ? S 15:08 0:00 \_ imap
nobody 32711 0.0 0.0 31460 1796 ? S 15:09 0:00 \_ imap
nobody 32712 0.0 0.0 31568 1824 ? S 15:09 0:00 \_ imap
nobody 32713 0.0 0.0 31444 1796 ? S 15:09 0:00 \_ imap
nobody 1031 0.0 0.0 31420 1720 ? S 15:11 0:00 \_ pop3
nobody 1088 0.0 0.0 31744 1928 ? S 15:11 0:00 \_ imap
nobody 1162 0.0 0.0 31436 1760 ? S 15:11 0:00 \_ imap
nobody 1224 0.0 0.0 31436 1784 ? S 15:11 0:00 \_ imap
nobody 1226 0.0 0.0 31436 1784 ? S 15:11 0:00 \_ imap
nobody 1340 0.0 0.0 31556 1824 ? S 15:12 0:00 \_ pop3
nobody 1370 0.0 0.0 31384 1656 ? S 15:12 0:00 \_ pop3
nobody 1801 0.0 0.0 31444 1756 ? S 15:13 0:00 \_ imap
nobody 1802 0.0 0.0 32556 2772 ? S 15:13 0:00 \_ pop3
dovecot 1806 0.0 0.0 36924 2568 ? S 15:13 0:00 \_ imap-login
dovecot 2133 0.0 0.0 36924 2868 ? S 15:14 0:00 \_ imap-login
nobody 2204 0.0 0.0 31372 1652 ? S 15:14 0:00 \_ pop3
nobody 2214 0.0 0.0 31600 1844 ? S 15:14 0:00 \_ imap
nobody 2225 0.0 0.0 31428 1712 ? S 15:14 0:00 \_ pop3
nobody 2244 0.0 0.0 31416 1696 ? S 15:14 0:00 \_ pop3
nobody 2282 0.0 0.0 31424 1724 ? S 15:15 0:00 \_ pop3
nobody 2345 0.2 0.0 31416 1808 ? S 15:15 0:00 \_ pop3
dovecot 2519 0.0 0.0 36924 2564 ? S 15:15 0:00 \_ imap-login
nobody 2524 0.0 0.0 31436 1500 ? S 15:15 0:00 \_ imap
nobody 2542 0.2 0.0 32556 2776 ? S 15:15 0:00 \_ pop3
dovecot 2546 0.0 0.0 36912 2564 ? S 15:15 0:00 \_ pop3-login
dovecot 2548 0.0 0.0 36912 2568 ? S 15:15 0:00 \_ pop3-login
dovecot 2549 0.0 0.0 36912 2600 ? S 15:15 0:00 \_ pop3-login
dovecot 2551 0.0 0.0 36912 2652 ? S 15:15 0:00 \_ pop3-login
dovecot 2553 0.0 0.0 36912 2568 ? S 15:15 0:00 \_ pop3-login
dovecot 2555 0.0 0.0 36912 2564 ? S 15:15 0:00 \_ pop3-login
dovecot 2556 0.0 0.0 36912 2568 ? S 15:15 0:00 \_ pop3-login
dovecot 2557 0.0 0.0 36912 2564 ? S 15:15 0:00 \_ pop3-login
dovecot 2560 0.0 0.0 36924 2564 ? S 15:15 0:00 \_ imap-login
dovecot 2564 0.0 0.0 36912 2568 ? S 15:15 0:00 \_ pop3-login
root 13183 0.0 0.2 238780 9316 ? Ss 12:42 0:00 /usr/sbin/apache2 -k start
www-data 14473 0.0 0.5 254336 21652 ? S 14:00 0:04 \_ /usr/sbin/apache2 -k start
www-data 22993 0.0 0.4 251980 20064 ? S 14:43 0:01 \_ /usr/sbin/apache2 -k start
www-data 24198 0.0 0.5 253308 21176 ? S 14:46 0:01 \_ /usr/sbin/apache2 -k start
www-data 24206 0.0 0.5 254892 20964 ? S 14:46 0:01 \_ /usr/sbin/apache2 -k start
www-data 24668 0.0 0.4 254056 20084 ? S 14:47 0:00 \_ /usr/sbin/apache2 -k start
www-data 24694 0.0 0.4 250952 19156 ? S 14:47 0:00 \_ /usr/sbin/apache2 -k start
www-data 24695 0.0 0.4 252016 19872 ? S 14:47 0:00 \_ /usr/sbin/apache2 -k start
www-data 32068 0.1 0.5 254012 23752 ? S 15:07 0:00 \_ /usr/sbin/apache2 -k start
www-data 32446 0.0 0.4 250940 19028 ? S 15:08 0:00 \_ /usr/sbin/apache2 -k start
www-data 427 0.0 0.4 249908 19128 ? S 15:09 0:00 \_ /usr/sbin/apache2 -k start
root 13277 0.0 0.0 3916 572 ? Ss 12:42 0:00 /usr/sbin/acpid
clamav 14012 0.0 6.1 313124 249112 ? Ssl 12:42 0:07 /usr/sbin/clamd
clamav 14346 0.0 0.0 38484 1356 ? Ss 12:43 0:00 /usr/bin/freshclam -d --quiet
root 14729 0.0 0.0 17072 1068 ? S<s 12:44 0:00 udevd --daemon
root 14955 0.0 0.0 17128 1008 ? S< 12:44 0:00 \_ udevd --daemon
root 14957 0.0 0.0 17128 936 ? S< 12:44 0:00 \_ udevd --daemon
root 15402 0.1 0.0 118024 1708 ? Sl 12:45 0:10 /usr/sbin/rsyslogd -c5
root 15966 0.1 0.1 67284 7580 ? Sl 12:46 0:13 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
root 25592 3.9 0.1 93136 6004 ? Ss 13:06 5:07 /usr/bin/perl -w /usr/sbin/mailgraph -l /var/log/mail.log -d --daemon_rrd=/var/lib/mailgraph
root 29114 0.0 0.0 18736 812 ? Ss 13:16 0:00 /sbin/rpcbind -w
-----Message d'origine----- From: Matias Mucciolo
Sent: Wednesday, January 22, 2014 3:00 PM
To: debian-security@lists.debian.org
Cc: Nico Angenon ; lesley.binks@gmail.com
Subject: Re: finding a process that bind a spcific port
can you paste a ps auxf output ?
maybe someone see some strange process
--
Matias
On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote:
Hello,
i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule...
Nico
From: Lesley Binks
Sent: Wednesday, January 22, 2014 2:46 PM
To: Nico Angenon
Cc: debian-security@lists.debian.org
Subject: Re: finding a process that bind a spcific port
Sorry for top posting. I'm on my phone.
You can always check for data on the interface using tcpdump.
Worth using it to verify what's happening.
Lesley
On 22 Jan 2014 13:33, "Nico Angenon" <nico@creaweb.fr> wrote:
no output....
Thanks for all...
Nico
-----Message d'origine----- From: johan A. van Zanten
Sent: Wednesday, January 22, 2014 1:56 PM
To: nico@creaweb.fr
Cc: debian-security@lists.debian.org
Subject: Re: finding a process that bind a spcific port
"Nico Angenon" <nico@creaweb.fr> wrote:
nope... never used this service...
Still looking for an explanation, try chrootkit and rkhunter right
now....
Try fuser:
fuser -n udp 10001
-johan
-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 20140122.125650.367853660900983582.johan@brandwatch.com" target="_blank">http://lists.debian.org/20140122.125650.367853660900983582.johan@brandwatch.com
-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC" target="_blank">http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 201401221100.48230.mmucciolo@suteba.org.ar" target="_blank">http://lists.debian.org/201401221100.48230.mmucciolo@suteba.org.ar
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 89EFA4B2386A4FEC924143CAD094C41C@NicoPC" target="_blank">http://lists.debian.org/89EFA4B2386A4FEC924143CAD094C41C@NicoPC