[CentOS] mystery process "unit"

sbeam sbeam at onsetcorps.net
Tue Aug 12 14:02:43 UTC 2008

On Tuesday 12 August 2008 09:08, Mr Shunz wrote:
> maybe you should check with "lsof -p 3041" and see which files/pipes it
> uses to have a clue.

of course! <slap>

it's a perl w0rm that was uploaded last night, now killed. Now to determine 
how it got in.

I found some output in the main apache error log that looks like wget was used 
to download a shellbot. But I can't figure out how wget was called, may be 
some PHP exec() call that is unchecked. 

But I can't find it on the system yet or the data files it uses.

chkrootkit says all is clear.

mod_security is now being installed, belatedly. This server has only been up 1 
week, sheesh.


PS here is the link to the shellbot that was used, in case anyone is curious. 
I break up the URL to protect the innocent:


have searched it and don't find anything special on the main security sites. 
Is it new?

More information about the CentOS mailing list