On Sun, 2006-02-05 at 03:07 -0500, James Pifer wrote: > > The first thing to do is run "ps auxfwwww" and look for anything that > > looks out of place. Feel free to post it here if you need help. > > The only thing that looks out of place to me is the section of things > being done by my hotmail account. I do have a hotmail account that I > forward mail to using gotmail. Other than that I don't see anything > obvious. > root 2392 0.0 0.2 5244 1232 ? Ss 2005 > 0:16 /usr/sbin/sshd > root 15763 0.0 0.3 8020 1676 ? Ss Feb03 0:00 \_ sshd: > hotmail [priv] > hotmail 15765 0.0 0.3 8184 1724 ? S Feb03 0:03 | \_ > sshd: hotmail at pts/7 Looks like someone may have guessed the password to this account. Use "netstat -plan" to find out what PID 15763 is connected to. > hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | > \_ /bin/sh ./s 63.200.0.0/16 > hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | > | \_ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C Also find out what these 2 executables are about. If they're binary then run strings on them. And most importantly, run "usermod -s /sbin/nologin hotmail". -- Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> http://centos.ivazquez.net/ gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/9a7dfb3b/attachment-0005.sig>