On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote: > My question is, have I been hacked?
Probably. Do you run PHP? Buggy PHP scripts are a common attack vector these days. > Could that be a CGI program gone wild? Yes, if the "pid changes" you noted are just independent processes. Less likely, if these are intentional fork()/exit() tricks done by one process (of course unless you don't trust your users). > Of course I could stop apache, but that's not what I want. I'd like to > figure out where this comes from. try "ls -l /proc/PID" and "ls -l /proc/PID/fd", these may reveal some useful information. Also run chkrootkit. Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216