Re: a compromised machine
i checked crontabs and i haven't found anything. but new processess started
www-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00
www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh]
www-data 6770 0.0 0.1 1624 608 ? S 22:10 0:00 [bdflu
and new connections were opened
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 18.104.22.168:33276 22.214.171.124:5454
tcp 0 0 126.96.36.199:33281 188.8.131.52:6667
Once again, /tmp/dcliiqlno doesn't exist... where is this exec file,
because i would really like to know what exactly it does.. and what is
I still haven't managed to find out how exactly this happened. And
probably reinstall will be needed? What do you think?
Ulf Harnhammar wrote:
On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote:
that means, that the process was started at 17:31 today. So i checked
I killed the process and webserver and at 19:31 the process again
started with the same lines in syslog.
Check your crontabs (in various locations) and atq. It sounds as if the
attackers have added something there.