i checked crontabs and i haven't found anything. but new processess startedwww-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00 /tmp/dlciiqlno x www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh] <defunct>
www-data 6770 0.0 0.1 1624 608 ? S 22:10 0:00 [bdflu and new connections were opened Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 193.77.81.144:33276 210.169.91.66:5454 ESTABLISHED tcp 0 0 193.77.81.144:33281 193.201.53.88:6667 ESTABLISHED
Once again, /tmp/dcliiqlno doesn't exist... where is this exec file, because i would really like to know what exactly it does.. and what is bdflu?
I still haven't managed to find out how exactly this happened. And probably reinstall will be needed? What do you think?
Thanks.. Ulf Harnhammar wrote:
On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote:that means, that the process was started at 17:31 today. So i checkedI killed the process and webserver and at 19:31 the process again started with the same lines in syslog.Check your crontabs (in various locations) and atq. It sounds as if the attackers have added something there. // Ulf