Very strange activity - EXE command running as user apache??
About an hour or so ago I was checking my CPU and average loads etc, via MRTG when I noticed my CPU had shot up to 90% in the last hour or two. Normally it sits at about 4%
I could hear it working away hard. So I had a look at the 'top' output and noticed something running I had not seen before.
8616 apache 25 0 488 488 412 R 99.8 0.0 0:07 0 exe
The pid kept changing every couple of minutes too.
So then I did lsof -i and got the following
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
snmpd 1536 root 8u IPv4 1667 TCP *:smux (LISTEN)
snmpd 1536 root 9u IPv4 1712 UDP *:snmp
sshd 1545 root 3u IPv4 1677 TCP *:ssh (LISTEN)
xinetd 1559 root 5u IPv4 1707 TCP *:pop3 (LISTEN)
xinetd 1559 root 8u IPv4 1710 UDP *:887
mysqld 1601 mysql 3u IPv4 1793 TCP *:mysql (LISTEN)
master 1673 root 11u IPv4 1837 TCP *:smtp (LISTEN)
vsftpd 2042 root 3u IPv4 4343 TCP *:ftp (LISTEN)
exe 8649 apache 3u IPv4 1943 TCP *:http (LISTEN)
exe 8649 apache 17u IPv4 4814 TCP me.mydomain.com:32772->126.96.36.199:auth (ESTABLISHED)
The weird thing is there are normally instances of httpd running and listening on *:http and, again, I have never seen this exe program running before, and for about ten minutes that I was watching it was constantly connected to the ip address above
I killed httpd with /etc/init.d/httpd stop but exe kept running and was still 'connection established' with 188.8.131.52 on port 113
I searched through my server for an exe command but could find nothing?
I stopped the internet connection killed the pid associated with exe and for about an hour now it has not returned and apache is running as normal...
Anyone got any idea where I can look for more clues as to what this could have been. I have snort running and it did not detect anything unusual, none of my logs, at first sight seem to be unusual??
Quite perplexed by this one, and a bit hesitant to leave apache on without knowing what caused this strange problem.
Anyone had a similar experience?
I checked the IP adress @ http://arul.telenet-systems.com/track.html
And i found that it was some japanese network which has connected to you pc. Configged your firewall correct?
Maybe you got some kind of hack software on your pc?
I do not use a deny all type firewall, so maybe no it is not setup correctly for this problem?
|All times are GMT -5. The time now is 09:22 PM.|