[ale] anyone recognize this hack?
John Wells
jb at sourceillustrated.com
Wed Feb 1 13:35:46 EST 2006
My friend's box was hacked. The only way we caught it was the damned
process started soaking up 97% CPU usage and firing so many packets at
iptables that the firewall started to crawl.
The interesting this was that one of the processes involved showed up as
"perl" in top, but if I toggle the command line display it showed as
"/usr/sbin/httpd". There is only httpd2 on this box, no httpd, so cd'd
over into the proc directory for that process, cat'ed cmdline, and same
thing. I assume that top simply reads from this file anyway.
When restarting his normal web server for a test, it said 443 was already
in use, so...see below. Is this familiar to anyone? I'm just curious if it
is a fairly common rootkit or not (or if you can even tell, which is
unlikely). I'd love to counter attack that IP, but it's probably a
compromised machine itself ;)
genesis:/var/log # lsof -iTCP:443
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sendmail: 3366 wwwrun 4u IPv6 7994 TCP *:https (LISTEN)
s 20533 wwwrun 4u IPv6 7994 TCP *:https (LISTEN)
genesis:/var/log # ps -ef | grep 20533
wwwrun 20533 1 0 Feb16 ? 00:00:00 /tmp/.tmp/public_html/s
67.15.63.112 53
wwwrun 20534 20533 0 Feb16 ? 00:00:00 [s] <defunct>
root 22778 22720 0 14:09 pts/1 00:00:00 grep 20533
More information about the Ale
mailing list