httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dan <i...@hostinthebox.net>
Subject Re: [users@httpd] irc eggdrop exploit woes
Date Mon, 06 Jun 2005 23:42:44 GMT
Eben Goodman wrote:
> I recently had an irc exploit on my server running this eggdrop relay 
> thing via apache.  I was able to find the offending files and remove 
> them and the eggdrop processes went away for awhile, but now they are 
> back and try as I might I can't find any files that correspond to this 
> software.  When viewing top it shows the eggdrop processes running as 
> apache.  If I don't reboot the server for a couple days the eggdrop 
> apache processes start sucking up all cpu and gobbling bandwidth.
> 
> Has anyone else dealt with this?
> 
> thanks,
> Eben
> 

Eben -

If ps or top or whatnot properly displays the PID (you should not assume 
this, but it's something to start with), you can:

ls -la /proc/{pid}/

 From there, if this is a poorly written trojan, you can examine 'exe' 
and 'cwd', among many other useful files in that directory, to find out 
where the trojan lives.

 From there, you can also 'strace -p {pid}' to find out a little more 
about what it's doing.  Although this part is terribly vital, it will 
teach you more about how these kinds of things work, what they do, where 
they came from, and perhaps who is under control of it.

Hope that helps
-dant

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message