[CentOS] I appear to be attacking others

Ignacio Vazquez-Abrams ivazquez at ivazquez.net
Sun Feb 5 08:36:20 UTC 2006


On Sun, 2006-02-05 at 03:27 -0500, James Pifer wrote:
> > Looks like someone may have guessed the password to this account. Use
> > "netstat -plan" to find out what PID 15763 is connected to.
> > 
> 
> The foreign address is coming from a whole bunch of different places. 

Okay, we'll kill it after, but don't do it just yet.

> > > hotmail   6445  0.0  0.1  4428  856 pts/3    S    Feb04   0:00  |
> > > \_ /bin/sh ./s 63.200.0.0/16
> > > hotmail   6446  0.1  0.0 308976 484 pts/3    Sl   Feb04   1:25  |
> > > |   \_ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
> > 
> > Also find out what these 2 executables are about. If they're binary then
> > run strings on them.
> > 
> 
> How do I tell where these executables are? And when I find them, how do
> I runs strings on them?

Find one of the processes that's still alive and do "ls -l /proc/<pid>".
That will give you some info about it. The exe entry should be a link to
the executable itself.

-- 
Ignacio Vazquez-Abrams <ivazquez at ivazquez.net>
http://centos.ivazquez.net/

gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/d1ee055a/attachment.sig>


More information about the CentOS mailing list