centos-bounces at centos.org <> scribbled on Wednesday, January 18, 2006 11:03 AM: > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Jim Perrin > Sent: Wednesday, January 18, 2006 5:38 AM > To: CentOS mailing list > Subject: Re: [CentOS] Process KOTFARE using 99% CPU > > On 1/18/06, Adriano Frare <alfrare at e-alinux.com> wrote: >> Dear Friends, >> >> I have process run in CENTOS 4.2 call kotfare that is using 99% CPU, > it >> run with owner apache. >> >> I kill process KOTFARE and restart apache, after some hours this > process >> return. >> >> I did find file with name *kotfare* and I din't find. >> >> Please, help me. > > Well this doesn't sound in any way healthy. You're going to > want to crawl through your apache logs and see if anything > looks out of place. > Odd GET or POST requests, SQL statements that don't look right etc. > You might also want to look in /var/tmp and /tmp as well as > in your DOCUMENT_ROOT, and remember to do an ls -la to show > hidden directories. There are a couple of things out there > that create a directory called ... in /var/tmp etc. You'll > also want to look at your web software to make sure you're > running secure versions etc. and make sure you've got all > things updated. > > = = = = = = > > Based on this discussion > http://forums1.itrc.hp.com/service/forums/questionanswer.do?th readId=991 > 357 > I think you have been hacked. > > The discussion talks about the author's clean up after his > being hacked. > > Bruce Google revealed this: http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=991357 Mike