centos-bounces@xxxxxxxxxx <> scribbled on Wednesday, January 18, 2006 11:03
AM:
> From: centos-bounces@xxxxxxxxxx
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Jim Perrin
> Sent: Wednesday, January 18, 2006 5:38 AM
> To: CentOS mailing list
> Subject: Re: Process KOTFARE using 99% CPU
>
> On 1/18/06, Adriano Frare <alfrare@xxxxxxxxxxxx> wrote:
>> Dear Friends,
>>
>> I have process run in CENTOS 4.2 call kotfare that is using 99% CPU,
> it
>> run with owner apache.
>>
>> I kill process KOTFARE and restart apache, after some hours this
> process
>> return.
>>
>> I did find file with name *kotfare* and I din't find.
>>
>> Please, help me.
>
> Well this doesn't sound in any way healthy. You're going to
> want to crawl through your apache logs and see if anything
> looks out of place.
> Odd GET or POST requests, SQL statements that don't look right etc.
> You might also want to look in /var/tmp and /tmp as well as
> in your DOCUMENT_ROOT, and remember to do an ls -la to show
> hidden directories. There are a couple of things out there
> that create a directory called ... in /var/tmp etc. You'll
> also want to look at your web software to make sure you're
> running secure versions etc. and make sure you've got all
> things updated.
>
> = = = = = =
>
> Based on this discussion
> http://forums1.itrc.hp.com/service/forums/questionanswer.do?th
readId=991
> 357
> I think you have been hacked.
>
> The discussion talks about the author's clean up after his
> being hacked.
>
> Bruce
Google revealed this:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=991357
Mike
