security problem
David A. Bandel
david.bandel at gmail.com
Sun Jun 29 16:47:41 PDT 2008
Folks (Matt maybe?),
Hoping someone can help me out here. I found this running on a client's server:
25454 ? Z 0:00 [perl] <defunct>
25455 ? S 7481:51 /hsphere/shared/apache/bin/httpd -DSSL
I included 25454 because apparently, perl spawned the activity (which
as in turn spawned by the web server). Running as user www-data (web
server).
Apparently been running since about 24 Jun. Netstat -pan has this to say:
tcp 0 1 192.168.8.2:55323 194.68.45.50:6667
SYN_SENT 25455/httpd -DSSL
I've blocked port 6667 outgoing. It keeps trying various IPs. Not
sure what it is, but doubt it's benign. Searches on port 6667 turn up
some things, but nothing substantial (i.e., lots of Windoze bots, but
nothing I can identify as Linux).
Any ideas?
TIA,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
More information about the Linux-users
mailing list