On Wed, 2002-11-13 at 18:18, Ben-Nes Michael wrote: > Hi All > > I noticed my web server is extremely busy so I ran 'top' and sow 4 tar > process where running in the background under 'nobody' > > I killed them and start to look around in my logs but vile :( > > any ideas ? ( its not cron )
Yes - congratulations! your box has most likely been rooted. Your log files have been edited. Your 'ps', 'netstat' 'login', 'less' and zillion other binaries have been replaced with trojaned copies programed to not show you exactly that which you are looking for. Your best bet is to disconnect the computer from the network, boot using a floppy and take whatever *data* files you might need. *DO NOT* copy or run any executable. Format HD and reinstall OS, and make sure to apply all the latest patches etc... I know it sucks. Such is life. Gilad. -- Gilad Ben-Yossef <[EMAIL PROTECTED]> http://benyossef.com "Denial really is a river in Eygept." ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]