On Sun, 2006-02-05 at 03:27 -0500, James Pifer wrote: > > Looks like someone may have guessed the password to this account. Use > > "netstat -plan" to find out what PID 15763 is connected to. > > > > The foreign address is coming from a whole bunch of different places. Okay, we'll kill it after, but don't do it just yet. > > > hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | > > > \_ /bin/sh ./s 63.200.0.0/16 > > > hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | > > > | \_ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C > > > > Also find out what these 2 executables are about. If they're binary then > > run strings on them. > > > > How do I tell where these executables are? And when I find them, how do > I runs strings on them? Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself. -- Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> http://centos.ivazquez.net/ gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/d1ee055a/attachment-0005.sig>