[CentOS] I appear to be attacking others
Ignacio Vazquez-Abrams
ivazquez at ivazquez.net
Sun Feb 5 08:36:20 UTC 2006
On Sun, 2006-02-05 at 03:27 -0500, James Pifer wrote:
> > Looks like someone may have guessed the password to this account. Use
> > "netstat -plan" to find out what PID 15763 is connected to.
> >
>
> The foreign address is coming from a whole bunch of different places.
Okay, we'll kill it after, but don't do it just yet.
> > > hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 |
> > > \_ /bin/sh ./s 63.200.0.0/16
> > > hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 |
> > > | \_ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
> >
> > Also find out what these 2 executables are about. If they're binary then
> > run strings on them.
> >
>
> How do I tell where these executables are? And when I find them, how do
> I runs strings on them?
Find one of the processes that's still alive and do "ls -l /proc/<pid>".
That will give you some info about it. The exe entry should be a link to
the executable itself.
--
Ignacio Vazquez-Abrams <ivazquez at ivazquez.net>
http://centos.ivazquez.net/
gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/d1ee055a/attachment.sig>
More information about the CentOS
mailing list