possible server compromitation
Hi!
I have an urgent situation. On one of my servers disapeared all apache
"error.log" and "access.log" files and other files containing "logo" or
"login". I found some unknown processes.
# ps -el
...
1 S 5000 1008 1 0 75 0 - 572 - ? 00:00:16 iroffer
0 S 5000 7574 1 0 76 0 - 1390 - ? 00:02:28 sifler.pl
...
# ps -elf
...
1 S siteman 1008 1 0 75 0 - 572 - Aug20 ? 00:00:16 /usr/sbin/apache2 -b php
...
0 S siteman 7574 1 0 76 0 - 1390 - 00:50 ? 00:02:28 /usr/local/apache/bin/httpd
...
# netstat -tp
...
tcp 0 0 myserver:51087 89.163.188.1.stati:ircd ESTABLISHED7574/httpd
...
tcp 0 0 myserver:48680 216.75.30.87:ircd ESTABLISHED1008/apache2
...
In /usr/local there is no directory "apache" and no regular (my) http
server is running now. User "siteman" (UID 5000) is a user I assigned to
the regular apache2 and proftpd server. My system is Debian testing. So
far I didn't found any trace where the possible intruded found a way
into my server.
Thank you for any advice.
David
Reply to: