LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   LiveZone/y2kupdate in /var/log/messages (http://www.linuxquestions.org/questions/linux-security-4/livezone-y2kupdate-in-var-log-messages-306428/)

jc materi 03-26-2005 05:31 PM

LiveZone/y2kupdate in /var/log/messages
 
I have the following entry in /var/log/messages every minute:
----------------------------
Mar 26 17:19:00 <hostname> CROND[6407]: (apache) CMD (/var/tmp/sh/.LiveZone/y2kupdate >/dev/null 2>&1)
----------------------------
<hostname> substitutes for my real hostname.

Does anyone know what this is about? BTW, 'ls -la' shows /var/tmp is empty. The ls program is not comprimised according to both chkrootkit and rkhunter (latest versions freshly installed).

Capt_Caveman 03-26-2005 07:15 PM

Take a look at the output of ps aux and netstat -pantu for anything abnormal especially irc (psybnc). See if you can find the executable with 'find / -name y2kupdate'.

Take a look at the entries in /etc/crontab and /etc/cron.d for anything abnormal, like:
Code:

* * * * * /var/tmp/sh/.LiveZone/y2kupdate >/dev/null 2>&1)
As root run 'crontab -u apache -l' to display any userdefined crontabs for apache.

Anything weird in your Apache logs (errors, restarts, segfaults, etc)?


All times are GMT -5. The time now is 06:32 AM.