a compromised maschine
Hi!
I think one of my servers has been compromised. Since i don't have a lot
of experiencei with these things, i beg you for your help.
Information i have gathered together till now are the following. Server
is runnin latest debian stable, sarge.
There was heavy traffic on the server and ps aux reported several processes:
www-data 2459 0.0 0.1 1616 608 ? S 01:31 0:00
/tmp/dlciiqlno x
after killing them they slowly started again, but not many of them. If
course i looked into /tmp, but found no dlciiqlno there. What i found
there were something, that looked like gallery (web photo gallery) log
files:
gallery_session_04fa70fb11bc00591370a70bc0398e24|O:14:"gallerysession":6:{s:7:"version";s:11:"1.5-debian1";s:12:"sessionStart";i:1122183146;s:10:"remoteHost";s:14:"68.142.249.160";s:9:"albumName";s:7:"album04";s:13:"offlineAlbums";a:0:{}s:8:"language";b:0;}
I dont know if there is a connection, but definetly gallery logfiles
shouldn't be there. And there is that remoteHost IP which is quite
suspicious.
I ran netstat and i got that
tcp 0 0 my_ip:37561 210.169.91.66:5454 ESTABLISHED
Which was wierd, so i run nmap localhost but only ordinary ports were
opened.
I don't know what to do now. It would be great, if you had any ideas.
Thank you for your help!
Nejc
Reply to: