[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache / exe process taking 99 % cpu

On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote:
> My question is, have I been hacked?

Probably. Do you run PHP? Buggy PHP scripts are a common attack vector
these days.

> Could that be a CGI program gone wild? 

Yes, if the "pid changes" you noted are just independent processes. Less
likely, if these are intentional fork()/exit() tricks done by one
process (of course unless you don't trust your users).

> Of course I could stop apache, but that's not what I want. I'd like to 
> figure out where this comes from.

try "ls -l /proc/PID" and "ls -l /proc/PID/fd", these may reveal some
useful information. Also run chkrootkit.

Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to: