-   Linux - Security (
-   -   LiveZone/y2kupdate in /var/log/messages (

jc materi 03-26-2005 06:31 PM

LiveZone/y2kupdate in /var/log/messages
I have the following entry in /var/log/messages every minute:
Mar 26 17:19:00 <hostname> CROND[6407]: (apache) CMD (/var/tmp/sh/.LiveZone/y2kupdate >/dev/null 2>&1)
<hostname> substitutes for my real hostname.

Does anyone know what this is about? BTW, 'ls -la' shows /var/tmp is empty. The ls program is not comprimised according to both chkrootkit and rkhunter (latest versions freshly installed).

Capt_Caveman 03-26-2005 08:15 PM

Take a look at the output of ps aux and netstat -pantu for anything abnormal especially irc (psybnc). See if you can find the executable with 'find / -name y2kupdate'.

Take a look at the entries in /etc/crontab and /etc/cron.d for anything abnormal, like:

* * * * * /var/tmp/sh/.LiveZone/y2kupdate >/dev/null 2>&1)
As root run 'crontab -u apache -l' to display any userdefined crontabs for apache.

Anything weird in your Apache logs (errors, restarts, segfaults, etc)?

All times are GMT -5. The time now is 06:24 PM.