[CentOS] I appear to be attacking others
Ignacio Vazquez-Abrams
ivazquez at ivazquez.net
Sun Feb 5 08:18:59 UTC 2006
On Sun, 2006-02-05 at 03:07 -0500, James Pifer wrote:
> > The first thing to do is run "ps auxfwwww" and look for anything that
> > looks out of place. Feel free to post it here if you need help.
>
> The only thing that looks out of place to me is the section of things
> being done by my hotmail account. I do have a hotmail account that I
> forward mail to using gotmail. Other than that I don't see anything
> obvious.
> root 2392 0.0 0.2 5244 1232 ? Ss 2005
> 0:16 /usr/sbin/sshd
> root 15763 0.0 0.3 8020 1676 ? Ss Feb03 0:00 \_ sshd:
> hotmail [priv]
> hotmail 15765 0.0 0.3 8184 1724 ? S Feb03 0:03 | \_
> sshd: hotmail at pts/7
Looks like someone may have guessed the password to this account. Use
"netstat -plan" to find out what PID 15763 is connected to.
> hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 |
> \_ /bin/sh ./s 63.200.0.0/16
> hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 |
> | \_ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
Also find out what these 2 executables are about. If they're binary then
run strings on them.
And most importantly, run "usermod -s /sbin/nologin hotmail".
--
Ignacio Vazquez-Abrams <ivazquez at ivazquez.net>
http://centos.ivazquez.net/
gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/9a7dfb3b/attachment.sig>
More information about the CentOS
mailing list