I received an email from anonymous...
"A worm using a phpbb vulnerability is trying to infect my system coming from IP xx...."
Well, I ran rkhunter and chkrootkit and both came back fine. Are there any others I can run to check for such a worm?
Specs:
RHE 3.3
Cpanel 9.9.9 R-14
PHP v 4.3.1.0
I believe the worm is running as nobody. I did notice a high load in server status for nobody user.
Code:
User Domain %CPU %MEM Mysql Processes
nobody 95.24 14.34 0.0
Top Process %CPU 96.3 /hsphere/shared/apache/bin/httpd -DSSL
Top Process %CPU 96.2 /hsphere/shared/apache/bin/httpd -DSSL
Top Process %CPU 96.0 /hsphere/shared/apache/bin/httpd -DSSL
Kernel Info:
Linux server.myserver.com 2.4.21-4.0.1.ELsmp #1 SMP Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
Please give me a hand here.