Eben Goodman wrote:
I recently had an irc exploit on my server running this eggdrop relay
thing via apache. I was able to find the offending files and remove
them and the eggdrop processes went away for awhile, but now they are
back and try as I might I can't find any files that correspond to this
software. When viewing top it shows the eggdrop processes running as
apache. If I don't reboot the server for a couple days the eggdrop
apache processes start sucking up all cpu and gobbling bandwidth.
Has anyone else dealt with this?
thanks,
Eben
Eben -
If ps or top or whatnot properly displays the PID (you should not assume
this, but it's something to start with), you can:
ls -la /proc/{pid}/
From there, if this is a poorly written trojan, you can examine 'exe'
and 'cwd', among many other useful files in that directory, to find out
where the trojan lives.
From there, you can also 'strace -p {pid}' to find out a little more
about what it's doing. Although this part is terribly vital, it will
teach you more about how these kinds of things work, what they do, where
they came from, and perhaps who is under control of it.
Hope that helps
-dant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
