One of the servers I manage has a strange problem. Every 24h, someone starts a process shows up as perl in the list, but launching command is /usr/sbin/httpd. It shows just one process, but when I run something like this:
ps -C perl -o cmd,pid I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or /usr/bin/perl. The even more interesting thing is, /usr/sbin/httpd does not exist. I suspect a rootkit, but chkrootkit & rkhunter reported nothing. Also, I found a mysterious file: /tmp/ips.txt with following content: xxx.xxx.xxx.xxx 127.0.0.1 addr:xxx.xxx.xxx.xxx addr: addr:127.0.0.1 addr: Somebody is aware of a malware/rootkit which creates such files? -- Nilesh Govindarajan http://nileshgr.com