Eben Goodman wrote:
I recently had an irc exploit on my server running this eggdrop relay thing via apache. I was able to find the offending files and remove them and the eggdrop processes went away for awhile, but now they are back and try as I might I can't find any files that correspond to this software. When viewing top it shows the eggdrop processes running as apache. If I don't reboot the server for a couple days the eggdrop apache processes start sucking up all cpu and gobbling bandwidth.Has anyone else dealt with this? thanks, Eben
Eben -If ps or top or whatnot properly displays the PID (you should not assume this, but it's something to start with), you can:
ls -la /proc/{pid}/
From there, if this is a poorly written trojan, you can examine 'exe'
and 'cwd', among many other useful files in that directory, to find out
where the trojan lives.
From there, you can also 'strace -p {pid}' to find out a little more about what it's doing. Although this part is terribly vital, it will teach you more about how these kinds of things work, what they do, where they came from, and perhaps who is under control of it.
Hope that helps -dant --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|