Results 1 to 6 of 6
  1. #1

    Exclamation Anyone ever see this process before?

    Seeing a process I have never seen before on a couple of accounts. Has anyone ever seen this process before? I'm sure its a hack but I cant find anything out of the norm.

    Top Process%CPU 97.2[v6]
    Top Process%CPU 97.1[v6]
    Top Process%CPU 97.0[v6]

    The only script the account is running is the latest IPB with all patches installed.

    Any info would be appreciated.

  2. #2
    No one? Well anyways, looks like it had something to do with a group of Turkish Hackers calling themselves a "security team". I call them morons but whatever floats their boats I guess.

  3. #3
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Anyone seen what process? You didn't say!

  4. #4
    Join Date
    Oct 2002
    Location
    Toronto, Canada
    Posts
    179
    We've seen that v6 process before, it is an exploit. You need to get it cleaned and your server secured.
    http://www.f5hosting.com | http://www.myvirtualhosting.com
    Get Shared/Dedicated/Colo in Toronto

  5. #5
    Try running RootKit Revelar from SysInternals. Also try http://housecall.trendmicro.com

  6. #6
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    [v6] is generally "just" a php exploit. Whiel you may be rooted chances are you are not. If you look in ps -auxf for the nobody user, or at each user if you run phpsuexec, you should be able to find the process running.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •