[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] (no subject)
- Subject: [cobalt-users] (no subject)
- From: "ISEE Multimedia" <mail@xxxxxxxxxxxxxxxxxxx>
- Date: Sat Feb 8 12:00:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
chkrootkit wted says there has been 1 deletion on the 7th February.
And also possible slapper and scalper worms.
The following command reveals the httpd.a process, are these the scalper
worm files.
[root chkrootkit-0.38]# ps auwx | grep httpd
root 435 0.0 0.0 7596 56 ? S Feb07 0:03
/usr/sbin/httpd.a
dmsrv -f /etc/admserv/conf/httpd.conf
root 461 0.0 0.9 8112 2484 ? S Feb07 0:01
/usr/sbin/httpd.a
dmsrv -f /etc/admserv/conf/httpd.conf
root 1419 0.0 0.9 8112 2488 ? S Feb07 0:01
/usr/sbin/httpd.a
dmsrv -f /etc/admserv/conf/httpd.conf
root 5188 0.0 0.9 8120 2480 ? S Feb07 0:00
/usr/sbin/httpd.a
dmsrv -f /etc/admserv/conf/httpd.conf
root 6967 0.0 4.2 14592 10968 ? S 14:55 0:03
/usr/sbin/httpd -
f /etc/httpd/conf/httpd.conf
httpd 9223 0.4 5.8 17752 14976 ? S 15:10 1:09
/usr/sbin/httpd -
f /etc/httpd/conf/httpd.conf
httpd 9224 0.4 6.2 19076 16004 ? S 15:10 1:13
/usr/sbin/httpd -
f /etc/httpd/conf/httpd.conf
httpd 9225 0.3 6.4 19276 16508 ? S 15:10 0:52
/usr/sbin/httpd -
f /etc/httpd/conf/httpd.conf
httpd 9226 0.4 6.2 18984 16192 ? S 15:10 1:11
/usr/sbin/httpd -
the following command doesnt resturn anything suspicious, ps auwx | grep
update | grep apache where if infected should show a program called update.
Any more commands to run to find anything else on these machines and also
ports that should be closed to stop incomming outgoing traffc from this.
And any way to clean up the machine??
Regards.
Mark