[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

possible server compromitation

Hi!

I have an urgent situation. On one of my servers disapeared all apache
"error.log" and "access.log" files and other files containing "logo" or
"login". I found some unknown processes.

# ps -el
...
1 S  5000  1008     1  0  75   0 -   572 -      ?        00:00:16 iroffer
0 S  5000  7574     1  0  76   0 -  1390 -      ?        00:02:28 sifler.pl
...

# ps -elf
...
1 S siteman   1008     1  0  75   0 -   572 -      Aug20 ?        00:00:16 /usr/sbin/apache2                             -b php
...
0 S siteman   7574     1  0  76   0 -  1390 -      00:50 ?        00:02:28 /usr/local/apache/bin/httpd
...

# netstat -tp
...
tcp        0      0 myserver:51087        89.163.188.1.stati:ircd ESTABLISHED7574/httpd
...
tcp        0      0 myserver:48680        216.75.30.87:ircd       ESTABLISHED1008/apache2
...

In /usr/local there is no directory "apache" and no regular (my) http
server is running now. User "siteman" (UID 5000) is a user I assigned to
the regular apache2 and proftpd server. My system is Debian testing. So
far I didn't found any trace where the possible intruded found a way
into my server.

Thank you for any advice.

David
Reply to: