Hi, On Fri, Dec 3, 2010 at 11:56 AM, abhishek jain <[email protected]>wrote:
> hi friends, > I today noticed my VPS was running too slow, then i logged into root , and > found a lot of load on it (> 240 ). > I did a ps -ef and a lot of process were running, a lot of them were > > > user1 23771 1 0 15:36 pts/0 00:00:02 ./atack 800 > > Also in WHM i see a process > > user1 99.7 perl udp.pl 92.114.6.32 0 22 > > > > can anyone here suggest me what should i do, > i am not sure how user1 logged into server, further what does the command > "perl udp.pl 92.114.6.32 0 22" mean which eats up 99.7% of CPU . > I would suggest you, not to panic and very first thing you need to do is to change the root & user1's password(if you really interested to know what this user is trying to do). After changing the passwords, download all the dump of '/var/log/messages/' and analyze. Probability is more that some vulnerable panel attack, but can't say until you have analyzed everything. These command may help you to investigate more $ last $ ps aux |grep pts --to know if someone else is logged in along with you :-) reason being, one may use command like 'ssh r...@victimip-i /bin/bash' to hide himself from command like 'w' or 'who' $ netstat -antp --check out the current established connection or who else is trying to connect you for current time HTH. -- Thanks, Sagar Belure _______________________________________________ Ilugd mailing list [email protected] http://frodo.hserus.net/mailman/listinfo/ilugd
