Subject: Re: Er min server blevet hacket? From: Jette Derriche <none@bsd-dk--nerdgirl.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk Date: Sun, 12 Dec 2010 14:29:45 +0100
On Sun, 2010-12-12 at 14:05 +0100, Anastasios Tsiolakidis wrote:
> 2010/12/12 Sven Esbjerg <none@list0--xbsd.net.lh.bsd-dk.dk>:
> > On Sun, Dec 12, 2010 at 01:17:18PM +0100, Sven Esbjerg wrote:
> >> On Sun, Dec 12, 2010 at 12:25:43PM +0100, Jette Derriche wrote:
> >> > fstat afslørede synderne:
> >> >
> >> > ---------------------------------------
> >> > 1 USER CMD PID FD MOUNT INUM MODE SZ|DV R/W
> >> > 987 root zgcqesjovzlqfeo 2710 320* internet stream tcp c31f4278-
> >> > [...]
> >> > 61 root jdauyqkcwxsowzx 2731 5* internet stream tcp c2fb84f0
> >> > [...]
> >> > 1280 root vopnnrxxixfneke 2709 18* internet stream tcp c3026000
> >> > ---------------------------------------
> >>
> >> 2. disse programmer som kører - kører de som root eller fx som webserveren?
> >
> > Ehhh.... nærlæste lige... og svarer mig selv.
> >
> > Så du er blevet root'et. Du bør arbejde mod at reinstallere og starte forfra.
>
> I think you should upload the offending executables somewhere so we
> can have a closer look, they may be known of course to antivirus
> programs.
>
I have uploaded one of the binaries, if you want to have a look:
http://old.nerdgirl.dk/fil.zip
/Jette
This archive was generated by hypermail 2b30 : Fri 31 Dec 2010 - 23:00:01 CET