Re: apache / exe process taking 99 % cpu

To: debian-security@lists.debian.org
Subject: Re: apache / exe process taking 99 % cpu
From: Marcin Owsiany <porridge@debian.org>
Date: Mon, 30 Aug 2004 21:06:31 +0200
Message-id: <[🔎] 20040830190631.GA9853@melina.ds14.agh.edu.pl>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200408301550.35675.tv@rz-zw.fh-kl.de>
References: <[🔎] 200408301550.35675.tv@rz-zw.fh-kl.de>

On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote:
> My question is, have I been hacked?

Probably. Do you run PHP? Buggy PHP scripts are a common attack vector
these days.

> Could that be a CGI program gone wild? 

Yes, if the "pid changes" you noted are just independent processes. Less
likely, if these are intentional fork()/exit() tricks done by one
process (of course unless you don't trust your users).

> Of course I could stop apache, but that's not what I want. I'd like to 
> figure out where this comes from.

try "ls -l /proc/PID" and "ls -l /proc/PID/fd", these may reveal some
useful information. Also run chkrootkit.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to:

Follow-Ups:
- Re: apache / exe process taking 99 % cpu
  - From: Timo Veith <tv@rz-zw.fh-kl.de>

References:
- apache / exe process taking 99 % cpu
  - From: Timo Veith <tv@rz-zw.fh-kl.de>

Prev by Date: Dr. Daniel Berning ist außer Haus.
Next by Date: Aleksander Sobol : nie ma mnie w pracy.
Previous by thread: apache / exe process taking 99 % cpu
Next by thread: Re: apache / exe process taking 99 % cpu
Index(es):
- Date
- Thread