Mike Bristow wrote:
> On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
>> Ok, here is what lsof tells me:
>> $ sudo lsof | grep perl
>> perl5.8.9  4272     www    3u    IPv4 0xc33cf000        0t0     TCP
>> gw:51295-> (ESTABLISHED)
>> The last line would be appear to telling me something, but what?
> The script is talking to on port 7000.
> Other useful things:
> ps ajxwwww
> will tell you the parent process of the script:  this looks like
> it may be a (fast?)CGI script; if so then the parent would be the
> web server.
> It may also show the name of the script (but beware:  the script
> can change that) which would be usefull to know.
>> After 24 hour since rebooting, this perl instance is still crunching
>> away... 
> Is it the same instance of the script, or a new copy each time?
> That is, does the PID change?  If so, that points to a CGI; if not it
> points to a fastCGI - or something else.

I have disabled both CGI and fastCGI in lighttpd.conf, restart the
webserver, but the script keeps popping up.

Now I notice something interesting:

$ ps aux | grep www
www       116 100.0  0.7  5864  3588  ??  R    11:53AM   8:10.33
/usr/bin/web/httpd (perl5.8.9)
www       113  0.0  0.0     0     0  ??  Z    11:53AM   0:00.18 <defunct>

This file doesn't exist on my system.

Am I correct in assuming that my system has been hacked and I am running an
IRC server or something?


  Colin Brace
View this message in context: 
Sent from the freebsd-questions mailing list archive at Nabble.com.

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to