[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: doing an ssh into a compromised host

> Meanwhile, the only thing I have is looking at some offline backups and
> working remotely in the (compromised) environment. Right now I'm looking at
> the lsof output there, a curious entry from Apache shown by lsof:
>
> apache 3170     root  mem    DEL        0,5                   0 /SYSV0000000
>
> Does it ring the bell for anyone? (The box runs apache 1.3.26-0woody5).

belay that. This looks like the apache scoreboard. A sane apache2 machine has
similar entries as well:

apache2    1318  apache  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2    1926  apache  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2    2432  apache  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2    2502  apache  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2    8538    root  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2    8798  apache  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2   27796  apache  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2   27797  apache  mem    DEL        0,6                    0 /SYSV0c0deb00
apache2   28306  apache  mem    DEL        0,6                    0 /SYSV0c0deb00

Grrrr.... I'll try to nessus the machine remotely, and see if something boils 
up from it...
Reply to: