security problem
Gilles Germon
ggermon at soubabere.fr
Mon Jun 30 01:14:16 PDT 2008
See the remarks section here :
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=
194.68.45.50&do_search=Search
Gilles
-----Message d'origine-----
De : linux-users-bounces at linux-sxs.org
[mailto:linux-users-bounces at linux-sxs.org] De la part de David A. Bandel
Envoyé : lundi 30 juin 2008 00:48
À : Linux tips and tricks
Objet : security problem
Folks (Matt maybe?),
Hoping someone can help me out here. I found this running on a client's
server:
25454 ? Z 0:00 [perl] <defunct>
25455 ? S 7481:51 /hsphere/shared/apache/bin/httpd -DSSL
I included 25454 because apparently, perl spawned the activity (which
as in turn spawned by the web server). Running as user www-data (web
server).
Apparently been running since about 24 Jun. Netstat -pan has this to say:
tcp 0 1 192.168.8.2:55323 194.68.45.50:6667
SYN_SENT 25455/httpd -DSSL
I've blocked port 6667 outgoing. It keeps trying various IPs. Not
sure what it is, but doubt it's benign. Searches on port 6667 turn up
some things, but nothing substantial (i.e., lots of Windoze bots, but
nothing I can identify as Linux).
Any ideas?
TIA,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
_______________________________________________
Linux-users mailing list ( Linux-users at linux-sxs.org )
Unsub/Password/Etc:
http://linux-sxs.org/mailman/listinfo/linux-users
Need to chat further on this subject? Check out #linux-users on
irc.linux-sxs.org !
More information about the Linux-users
mailing list