[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

a compromised machine


I think one of my servers has been compromised. Since i don't have a lot of experiencei with these things, i beg you for your help.

Information i have gathered together till now are the following. Server is runnin latest debian stable, sarge.

There was heavy traffic on the server and ps aux reported several processes: www-data 2459 0.0 0.1 1616 608 ? S 01:31 0:00 /tmp/dlciiqlno x

after killing them they slowly started again, but not many of them. If course i looked into /tmp, but found no dlciiqlno there. What i found there were something, that looked like gallery (web photo gallery) log files:


I dont know if there is a connection, but definetly gallery logfiles shouldn't be there. And there is that remoteHost IP which is quite suspicious.

I ran netstat and i got that

tcp        0      0 my_ip:37561      ESTABLISHED

Which was wierd, so i run nmap localhost but only ordinary ports were opened.

I don't know what to do now. It would be great, if you had any ideas.

Thank you for your help!


Reply to: