hi,
'love to catch a mouse.'
Simple.
chkrootkit, find hidden process
cd /proc
for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done
*** find the hidden process PID and kill it ***
Cheers
patrick
On Wed, 19 Jul 2006 09:13:28 +0200
Dennis <dennis (at mark) mixfans.org> wrote:
> okay found it .. maybe this story helps and maybe some suggestions can
> come for getting more control on the system
>
> somewhere back in feb 13 a user was created and this user was sitting in
> my site1
> this user had in its folder:
> aha.c
> bind
> cgi.php
> *.pl
>
> how the user could be created is still unknown to me, so maybe there can
> be added a script that will be sending info to the admin when a user is
> created in the system?
>
> I found this user by checking which files were changed the last few days
> as I had wierd errors seen on the 16th of july
> (httpd could not start as a session took over port 80)
>
> Today I noticed the cron errors. Seems that the ghost user tried to test
> a vunerability from last week
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140158&affid=102
>
> Are there any other tools which could be used / installed to monitor
> such httpd actions?
>
> Dennis
>
>
> Dennis wrote:
> > Suddenly I get this admin messages:
> >
> > chown root:root /dev/shm/nice2k && chmod 4755 /dev/shm/nice2k && rm
> > -rf /etc/cron.d/core && kill -USR1 3286
> >
> > chown: cannot access `/dev/shm/nice2k': No such file or directory
> >
> > it seems that someone 'broke' into my system, but how to see what
> > happened and where ..
> > dennis
> >
> >
> >
> >
> >