Re: a compromised machine
Le 12989ième jour après Epoch,
Nejc Novak écrivait:
> i checked crontabs and i haven't found anything. but new processess started
> www-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00
> /tmp/dlciiqlno x
> www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh]
> www-data 6770 0.0 0.1 1624 608 ? S 22:10 0:00 [bdflu
> and new connections were opened
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 220.127.116.11:33276 18.104.22.168:5454
> tcp 0 0 22.214.171.124:33281 126.96.36.199:6667
> Once again, /tmp/dcliiqlno doesn't exist... where is this exec file,
> because i would really like to know what exactly it does.. and what is
Easy to do. The exec prog remove himself.
Try "lsof -p <hackprocessid>" and you probably see a "deleted" file.
The process probably restarted because of a corrupted command. For
example, ls or ps are corrupted, so they create /tmp/xxxx, run it and
> I still haven't managed to find out how exactly this happened. And
> probably reinstall will be needed? What do you think?
First of all, you must unplug the machine. Second, reinstall it.
If you have important data, just backup it, but *only* data!