[CentOS] Process KOTFARE using 99% CPU

Wed Jan 18 17:03:12 UTC 2006
Bruce McPeek <brucem at vidiator.com>

From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Jim Perrin
Sent: Wednesday, January 18, 2006 5:38 AM
To: CentOS mailing list
Subject: Re: [CentOS] Process KOTFARE using 99% CPU

On 1/18/06, Adriano Frare <alfrare at e-alinux.com> wrote:
> Dear Friends,
>
> I have process run in CENTOS 4.2 call kotfare that is using 99% CPU,
it
> run with owner apache.
>
> I kill process KOTFARE and restart apache, after some hours this
process
> return.
>
> I did find file with name *kotfare* and I din't find.
>
> Please, help me.

Well this doesn't sound in any way healthy. You're going to want to
crawl through your apache logs and see if anything looks out of place.
Odd GET or POST requests, SQL statements that don't look right etc.
You might also want to look in /var/tmp and /tmp as well as in your
DOCUMENT_ROOT, and remember to do an ls -la to show hidden
directories. There are a couple of things out there that create a
directory called ... in /var/tmp etc. You'll also want to look at your
web software to make sure you're running secure versions etc. and make
sure you've got all things updated.

= = = = = =

Based on this discussion
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=991
357
I think you have been hacked.

The discussion talks about the author's clean up after his being hacked.

Bruce