Using lsof to look through weird files, is useful too.
dan wrote:
> Eben Goodman wrote:
>
>> I recently had an irc exploit on my server running this eggdrop relay
>> thing via apache. I was able to find the offending files and remove
>> them and the eggdrop processes went away for awhile, but now they are
>> back and try as I might I can't find any files that correspond to this
>> software. When viewing top it shows the eggdrop processes running as
>> apache. If I don't reboot the server for a couple days the eggdrop
>> apache processes start sucking up all cpu and gobbling bandwidth.
>>
>> Has anyone else dealt with this?
>>
>> thanks,
>> Eben
>>
>
> Eben -
>
> If ps or top or whatnot properly displays the PID (you should not assume
> this, but it's something to start with), you can:
>
> ls -la /proc/{pid}/
>
> From there, if this is a poorly written trojan, you can examine 'exe'
> and 'cwd', among many other useful files in that directory, to find out
> where the trojan lives.
>
> From there, you can also 'strace -p {pid}' to find out a little more
> about what it's doing. Although this part is terribly vital, it will
> teach you more about how these kinds of things work, what they do, where
> they came from, and perhaps who is under control of it.
>
> Hope that helps
> -dant
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> " from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
