Re: [cobalt-users] [RaQ4] Possible Attack?

[Jeroen Wunnink <jeroen@xxxxxxxxxxxxxx>]

Might wanna do a ps aux
See if this httpd is using something alike:   httpd -f /path/to/conf
 If not, check for a compromised system


At 05:00 AM 3/23/2003 +0000, you wrote:
> WJB> Date: Sat, 22 Mar 2003 22:49:44 -0600
> WJB> From: William J.A. Brillinger
>
>
> WJB> My RaQ4 has had a heavy cpu load tonight and top is showing some HUGE
> WJB> processes for httpd:
>
> WJB> 25953 httpd     10   0  151M 148M  3112 R     13M  8.2 29.4   4:24 httpd
>
> WJB> Is this some kind of attack?
> WJB> Suggestions?
>
> Probably a poorly-written script.
>
>
> Eddy
> --
> Brotsman & Dreger, Inc. - EverQuick Internet Division
> Bandwidth, consulting, e-commerce, hosting, and network building
> Phone: +1 (785) 865-5885 Lawrence and [inter]national
> Phone: +1 (316) 794-8922 Wichita
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
> From: A Trap <blacklist@xxxxxxxxx>
> To: blacklist@xxxxxxxxx
> Subject: Please ignore this portion of my mail signature.
>
> These last few lines are a trap for address-harvesting spambots.
> Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
> be blocked.
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users



Met vriendelijke groet,

Jeroen Wunnink,
systeembeheer@xxxxxxxxxxxxxx

telefoon:+31 (035) 6285455              Postbus 1332
fax: +31 (035) 6838242                  1200 BH Hilversum

http://www.easyhosting.nl