Hi list, I have a apache process which takes 99 % cpu. Its not common that a apache proc takes that much cpu on this system. I noticed it on my rrd load and cpu usage graph. It's on since yesterday about 22:00.
top also lists the process with a name of "exe". Running under the user id of www-data. I couldn't find it with ps auwwx until I tried some other params of ps. It looks to me like if it the process is somehow camouflaged. Could that be? [EMAIL PROTECTED] [~] ps -l -C exe F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 040 R 33 6358 1 89 77 0 - 370 - ? 00:00:04 exe [EMAIL PROTECTED] [~] ps -lf -C exe F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD 040 R www-data 6360 1 95 79 0 - 370 - 15:47 ? 00:00:04 /usr/sbin/apache I tried to strace the process, but I have to be fast. The pid changes every 15 seconds, according to top. [EMAIL PROTECTED] [~] ps -l -C exe F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 040 R 33 6398 1 99 77 0 - 370 - ? 00:00:03 exe [EMAIL PROTECTED] [~] strace -p 6398 --- SIGALRM (Alarm clock) --- As you can see, the process seems do die with SIGALARM. My question is, have I been hacked? Could that be a CGI program gone wild? Of course I could stop apache, but that's not what I want. I'd like to figure out where this comes from. TIA Timo