Hi,
Today I saw in one of my machines a process "underworld" that was charged the cpu 90%, later i saw in the list procest the next :
apache 12035 1 0 17:30 ? 00:00:00 ./start
apache 12036 12035 0 17:30 ? 00:00:00 [start <defunct>]
apache 12040 1 0 17:30 ? 00:00:00 sh -i
apache 12041 12040 0 17:30 ? 00:00:00 [LegendBind <defunct>]
apache 12046 1 0 17:30 ? 00:00:00 sh -i
apache 12075 12046 0 17:30 ? 00:00:00 sh -i
apache 12076 12075 0 17:30 00:00:00 sh -i
apache 12322 12076 9 17:32 ttyp0 00:01:36 ./vadimI 66.254.101.57 22 999999
apache 12536 12076 98 17:34 ttyp0 00:13:52 ./undernet 66.254.101.57 22 5999
Later in the /tmp directory i saw files and binaries as :
amech.tgz flood.tgz icesslmass.tgz LegendPort.tgz etc etc and the psybnc ... seems to be all programs to controller IRC and bots..
My question are ¿how can i close all the ttyp0¿ ¿how the hackers take the controll of the apache and tmp? i have 777 in the tmp....
My server is 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux with the last Directadmin and his cores. .apache , mysql.. all the red carpet updates at day....
Red hat 90 of course.
Any ideas ??? this machine have more than 90 Domains.. and sincerely I am worried because as you know that in directadmin by default the safe mode is off and I think that by this way entered the hackers with some phpnuke or similar bug.
Now im scanning all the ports.. 1 - 65550, for the moment one strange port open :
Remote Port: 8090 Local Socket: 712 Standard Service: not assigned (only the first 10.000 port scanned)
Any help will be appreciated.
Greetings and sorry my english.
Today I saw in one of my machines a process "underworld" that was charged the cpu 90%, later i saw in the list procest the next :
apache 12035 1 0 17:30 ? 00:00:00 ./start
apache 12036 12035 0 17:30 ? 00:00:00 [start <defunct>]
apache 12040 1 0 17:30 ? 00:00:00 sh -i
apache 12041 12040 0 17:30 ? 00:00:00 [LegendBind <defunct>]
apache 12046 1 0 17:30 ? 00:00:00 sh -i
apache 12075 12046 0 17:30 ? 00:00:00 sh -i
apache 12076 12075 0 17:30 00:00:00 sh -i
apache 12322 12076 9 17:32 ttyp0 00:01:36 ./vadimI 66.254.101.57 22 999999
apache 12536 12076 98 17:34 ttyp0 00:13:52 ./undernet 66.254.101.57 22 5999
Later in the /tmp directory i saw files and binaries as :
amech.tgz flood.tgz icesslmass.tgz LegendPort.tgz etc etc and the psybnc ... seems to be all programs to controller IRC and bots..
My question are ¿how can i close all the ttyp0¿ ¿how the hackers take the controll of the apache and tmp? i have 777 in the tmp....
My server is 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux with the last Directadmin and his cores. .apache , mysql.. all the red carpet updates at day....
Red hat 90 of course.
Any ideas ??? this machine have more than 90 Domains.. and sincerely I am worried because as you know that in directadmin by default the safe mode is off and I think that by this way entered the hackers with some phpnuke or similar bug.
Now im scanning all the ports.. 1 - 65550, for the moment one strange port open :
Remote Port: 8090 Local Socket: 712 Standard Service: not assigned (only the first 10.000 port scanned)
Any help will be appreciated.
Greetings and sorry my english.