Re: doing an ssh into a compromised host
> Meanwhile, the only thing I have is looking at some offline backups and
> working remotely in the (compromised) environment. Right now I'm looking at
> the lsof output there, a curious entry from Apache shown by lsof:
>
> apache 3170 root mem DEL 0,5 0 /SYSV0000000
>
> Does it ring the bell for anyone? (The box runs apache 1.3.26-0woody5).
belay that. This looks like the apache scoreboard. A sane apache2 machine has
similar entries as well:
apache2 1318 apache mem DEL 0,6 0 /SYSV0c0deb00
apache2 1926 apache mem DEL 0,6 0 /SYSV0c0deb00
apache2 2432 apache mem DEL 0,6 0 /SYSV0c0deb00
apache2 2502 apache mem DEL 0,6 0 /SYSV0c0deb00
apache2 8538 root mem DEL 0,6 0 /SYSV0c0deb00
apache2 8798 apache mem DEL 0,6 0 /SYSV0c0deb00
apache2 27796 apache mem DEL 0,6 0 /SYSV0c0deb00
apache2 27797 apache mem DEL 0,6 0 /SYSV0c0deb00
apache2 28306 apache mem DEL 0,6 0 /SYSV0c0deb00
Grrrr.... I'll try to nessus the machine remotely, and see if something boils
up from it...
Reply to: