On Tuesday 11 July 2006 11:56, heba wrote: > 2006/7/11, Joshua J. Kugler <[EMAIL PROTECTED]>: > > OK, so I understand you can't kill a process in a 'D' state. That makes > > sense. > > > > But, why can't you kill a process in state 'R'? > > > > This is what ps aux shows: > > > > ftp 899 64.9 0.2 4164 2216 ? RNs Jun12 27137:59 proftpd: > > (accepting connections) > > > > BTW, top shows that process taking 100% CPU. > > > > Hmm...proftpd, oddly enough (as was the subject of the other recent > > thread). Plain kill won't work. Kill -9 will not kill it. Right now, I > > have it set at the lowest possible priority, until I get a chance to > > reboot the machine, but is there anyway to kill an 'R' process when kill > > -9 won't work? > > > > j > > seems a w32 or perhaps a backdoor seen the process run to ftp.
Win32? Huh? This is a Debian system. Proftpd is locked (won't accept connections, even though it shows listening on *:ftp. This is what top shows: 899 ftp 39 19 4164 2216 3460 R 98.4 0.2 27190:02 proftpd Output of lsof|grep proftpd proftpd 899 ftp cwd DIR 9,1 4096 2 / proftpd 899 ftp rtd DIR 9,1 4096 2 / proftpd 899 ftp txt REG 9,1 568812 501112 /usr/sbin/proftpd proftpd 899 ftp mem REG 9,1 90248 646521 /lib/ld-2.3.2.so proftpd 899 ftp mem REG 9,1 18876 646565 /lib/tls/libcrypt-2.3.2.so proftpd 899 ftp mem REG 9,1 11024 646488 /lib/libcap.so.1.10 proftpd 899 ftp mem REG 9,1 28880 646421 /lib/libwrap.so.0.7.6 proftpd 899 ftp mem REG 9,1 73304 646569 /lib/tls/libnsl-2.3.2.so proftpd 899 ftp mem REG 9,1 198576 486306 /usr/lib/i686/cmov/libssl.so.0.9.7 proftpd 899 ftp mem REG 9,1 1029672 486305 /usr/lib/i686/cmov/libcrypto.so.0.9.7 proftpd 899 ftp mem REG 9,1 30360 646516 /lib/libpam.so.0.76 proftpd 899 ftp mem REG 9,1 1254468 646564 /lib/tls/libc-2.3.2.so proftpd 899 ftp mem REG 9,1 9872 646566 /lib/tls/libdl-2.3.2.so proftpd 899 ftp mem REG 9,1 34748 646572 /lib/tls/libnss_files-2.3.2.so proftpd 899 ftp mem REG 9,1 28616 646570 /lib/tls/libnss_compat-2.3.2.so proftpd 899 ftp mem REG 9,1 33440 646574 /lib/tls/libnss_nis-2.3.2.so proftpd 899 ftp mem REG 9,1 13976 646571 /lib/tls/libnss_dns-2.3.2.so proftpd 899 ftp mem REG 9,1 64924 646578 /lib/tls/libresolv-2.3.2.so proftpd 899 ftp 0u IPv4 2776 TCP *:ftp (LISTEN) proftpd 899 ftp 1uW REG 9,2 1056 670463 /var/run/proftpd/proftpd.scoreboard proftpd 899 ftp 4r REG 9,1 1248 586047 /etc/group So, if it's a back door, it's really good at opening all the right files to look the the real thing. j -- Joshua Kugler Lead System Admin -- Senior Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
