a compromised machine
I think one of my servers has been compromised. Since i don't have a lot
of experiencei with these things, i beg you for your help.
Information i have gathered together till now are the following. Server
is runnin latest debian stable, sarge.
There was heavy traffic on the server and ps aux reported several
www-data 2459 0.0 0.1 1616 608 ? S 01:31 0:00
after killing them they slowly started again, but not many of them. If
course i looked into /tmp, but found no dlciiqlno there. What i found
there were something, that looked like gallery (web photo gallery) log
I dont know if there is a connection, but definetly gallery logfiles
shouldn't be there. And there is that remoteHost IP which is quite
I ran netstat and i got that
tcp 0 0 my_ip:37561 18.104.22.168:5454 ESTABLISHED
Which was wierd, so i run nmap localhost but only ordinary ports were
I don't know what to do now. It would be great, if you had any ideas.
Thank you for your help!