[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a compromised machine

i checked crontabs and i haven't found anything. but new processess started

www-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00 /tmp/dlciiqlno x www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh] <defunct>
www-data  6770  0.0  0.1  1624  608 ?        S    22:10   0:00 [bdflu

and new connections were opened

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State

Once again, /tmp/dcliiqlno doesn't exist... where is this exec file, because i would really like to know what exactly it does.. and what is bdflu?

I still haven't managed to find out how exactly this happened. And probably reinstall will be needed? What do you think?


Ulf Harnhammar wrote:

On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote:
that means, that the process was started at 17:31 today. So i checked

I killed the process and webserver and at 19:31 the process again started with the same lines in syslog.

Check your crontabs (in various locations) and atq. It sounds as if the
attackers have added something there.

// Ulf

Reply to: