On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: > On Monday 30 August 2004 21:06, Marcin Owsiany wrote: > I added a iptables rule to the OUTPUT chain dropping all tcp packets to that > box:port and guess what? My server was back idle again. No more 99 % cpu > usage and the process now sits there.
Seems like the process is a DoS zombie. Probably it opened as many connections to that machine, as possible, and that caused the heavy CPU utilization. > And then it starts again connecting. I think this process tries to talk back > to someone? Well, I am only guessing ... Could be. I would unblock the rule for a while and record some of the traffic. Viewing it with something nice like ethereal could provide more infomation on the nature of those connections. > I downloaded the ISO image from the F.I.R.E. Linux distribution to have some > static binaries which I can trust. Basically, if you don't trust your binaries, that means that you suspect the attacker got root access. And if they did, they probably installed a kernel backdoor. And if they did, then "trusted" binaries won't buy you anything. You need to boot off a trusted media if you want to be sure. > I burned the image to a cd which I then > mounted and tried to excute some of them but I only get "su -: Permission > denied" > > [EMAIL PROTECTED] [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who > su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied > [EMAIL PROTECTED] [/proc/18305] uname -r > 2.4.27 > > Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel? I don't think so. I suspect this is either a permissions (file or filesystem) or dynamic libs problem. Marcin PS: Please don't cc me. I really do read this list :-) -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 "Every program in development at MIT expands until it can read mail." -- Unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
