On Sun, 2006-02-05 at 03:27 -0500, James Pifer wrote:
Looks like someone may have guessed the password to this account. Use "netstat -plan" to find out what PID 15763 is connected to.
The foreign address is coming from a whole bunch of different places.
Okay, we'll kill it after, but don't do it just yet.
hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 63.200.0.0/16 hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | | _ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
Also find out what these 2 executables are about. If they're binary then run strings on them.
How do I tell where these executables are? And when I find them, how do I runs strings on them?
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.