Results 1 to 5 of 5

Thread: Exploits

  1. #1
    Join Date
    Dec 2007
    Posts
    271

    Exploits

    I believe one or more of my client's sites have been exploited. From time to time I notice proc utilization increasing and I have found a few processes running as nobody that once I kill them everything returns to normal.

    Is there an easy way to locate the origin? I am assuming that it is due to an exploit running in one of my client's php sites.

  2. #2
    Join Date
    Sep 2006
    Location
    Smiths Falls, ON
    Posts
    772
    My best first suggestion would be to if possible make the spawned php processes run as the user. That will help you trace it to which account is launching them.
    Ryan G.
    Owner
    Umgardi.ca

  3. #3
    Join Date
    Feb 2007
    Posts
    265
    if there are process id's you could use ll /proc/ then put the process id at the end
    Master Reseller Accounts
    Shared Hosting
    VPS hosting
    ToastHosts.com support{at}toasthosts.com

  4. #4
    Join Date
    Jul 2007
    Posts
    88
    If you post the name of the process using most of your resources then that may help in identifying it.

    You can also use lsof (list open files) to see where in the filesystem the process may be coming from. use ps or top to find the PID (process id) and then run:

    lsof | grep PID | more
    rootbsd.net :: BSD based hosting for smart people
    FreeBSD VPS :: FreeBSD and OpenBSD Hosting Powered By Xen
    IRC: #rootbsd on freenode
    twitter: @rootbsd

  5. #5
    Join Date
    Dec 2007
    Posts
    271
    Well wouldn't you know. Now that I am waiting for it to happen again everything is fine LOL.


    I will post more information if and when it happens again. Thanks,

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •