Well, it is possible that some process was able to change it's process info to read "/usr/bin/perl -w./check.cgi" when there was no check.cgi file anywhere. Just a decoy trick from a bad process.
(Just thinking out loud...) could the 'check.cgi' file live inside a loopback filesystem, which was somehow unmounted after the process started? Do you see any funny entries in the 'mount' output? See any funny files in global-writable areas, like /tmp ? What do you get from (if the pid's are still valid): "ls -l /proc/28720/cwd" "ls -l /proc/28720/exe" "cat /proc/28720/environ" "cat /proc/28720/mountinfo" "cat /proc/28720/maps" and "cat /proc/28720/cmdline" Jeff Lasman wrote: > I'm seeing something funny with a file named check.cgi. > > Top says it's running: > > 28720 apache 25 0 6184 6184 1448 R 25.4 0.6 20:12 1 > check.cgi > 2897 apache 25 0 5968 5968 1500 S 0.7 0.5 18:07 1 > check.cgi > > ps says it's being run by perl: > > # ps waux | grep check.cgi > apache 28720 17.8 0.6 11124 6180 ? S 10:22 > 20:13 /usr/bin/perl -w./check.cgi > apache 2897 25.8 0.5 10880 5968 ? S 11:05 > 18:07 /usr/bin/perl -w./check.cgi > # > > find doesn't find any file by that name > > # find / -name check.cgi > # > > and grepping all the apache logs don't show it being called from > anywhere. > > I care because we're being attacked by a spammer who appears to be on > our box sending mail via smtp through localhost, and this might be the > problem (I'm not sure yet). > > Any ideas? > > Jeff >
