Hello Marcin, thank you for your reply.
On Monday 30 August 2004 21:06, Marcin Owsiany wrote: > On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote: > > My question is, have I been hacked? > > Probably. Do you run PHP? Buggy PHP scripts are a common attack vector > these days. Yes, we do run PHP scripts a lot. > > Could that be a CGI program gone wild? > > Yes, if the "pid changes" you noted are just independent processes. Less > likely, if these are intentional fork()/exit() tricks done by one > process (of course unless you don't trust your users). Well, there are too many of them, so cannot really trust all of them. I know, this doesnt' make any better. :( > > Of course I could stop apache, but that's not what I want. I'd like to > > figure out where this comes from. > > try "ls -l /proc/PID" and "ls -l /proc/PID/fd", these may reveal some > useful information. Also run chkrootkit. Thanks for this advice, it found the PWD of the command in the environ file under /proc/<pid>. Let me tell you another strange thing. netstat -avp showed me that a apache process had an established connection from my box (source port was some high port) to a box in .jp (dest port 113). This made me curious. I added a iptables rule to the OUTPUT chain dropping all tcp packets to that box:port and guess what? My server was back idle again. No more 99 % cpu usage and the process now sits there. (sleeping) It doesn't change the pid any more and I also can do an strace: [EMAIL PROTECTED] [/proc/18305] strace -p 18305 connect(8, {sin_family=AF_INET, sin_port=htons(113), sin_addr=inet_addr("ip.of.remote.box")}}, 16 = -1 ETIMEDOUT (Connection timed out) close(8) = 0 dup(2) = 8 fcntl64(8, F_GETFL) = 0x2 (flags O_RDWR) fstat64(8, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 ioctl(8, SNDCTL_TMR_TIMEBASE, 0xbffff5d8) = -1 ENOTTY (Inappropriate ioctl for device) old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 _llseek(8, 0, [0], SEEK_CUR) = 0 write(8, "connect: Connection timed out\n", 30) = 30 close(8) = 0 munmap(0x40014000, 4096) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({30, 0}, {30, 0}) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8 And then it starts again connecting. I think this process tries to talk back to someone? Well, I am only guessing ... I downloaded the ISO image from the F.I.R.E. Linux distribution to have some static binaries which I can trust. I burned the image to a cd which I then mounted and tried to excute some of them but I only get "su -: Permission denied" [EMAIL PROTECTED] [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied [EMAIL PROTECTED] [/proc/18305] uname -r 2.4.27 Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel? Many thanks in advance Timo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]