security problem
Bill Campbell
linux-sxs at celestial.com
Sun Jun 29 22:59:44 PDT 2008
On Sun, Jun 29, 2008, David A. Bandel wrote:
>Folks (Matt maybe?),
>
>Hoping someone can help me out here. I found this running on a client's server:
>25454 ? Z 0:00 [perl] <defunct>
>25455 ? S 7481:51 /hsphere/shared/apache/bin/httpd -DSSL
>
>I included 25454 because apparently, perl spawned the activity (which
>as in turn spawned by the web server). Running as user www-data (web
>server).
>
>Apparently been running since about 24 Jun. Netstat -pan has this to say:
>tcp 0 1 192.168.8.2:55323 194.68.45.50:6667
>SYN_SENT 25455/httpd -DSSL
>
>I've blocked port 6667 outgoing. It keeps trying various IPs. Not
>sure what it is, but doubt it's benign. Searches on port 6667 turn up
>some things, but nothing substantial (i.e., lots of Windoze bots, but
>nothing I can identify as Linux).
I find ``lsof -p pid'' very useful in cases like this to identify
the programs that are running, which often are in obscured
directories (e.g. multiple ``.''s, spaces, etc.). Look for
executable programs under /tmp, /dev, and /var/tmp.
This looks like an IRC connection of some kind. These are often
running under some normal user with a weak password.
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186
It's time to feed the hogs
-- Unintended Consequences
More information about the Linux-users
mailing list