Results 1 to 9 of 9

Thread: SS command?

  1. #1

    SS command?

    I see a command running called ss
    What is this? Thanks

  2. #2
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    Do this.

    ps aux | grep ss

    get the pid, then exwcute

    lsof -pid
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  3. #3
    Thanks, i also have many myconf processesing running. See below:
    --------------------
    usr/bin/perl ./mycnf 24.8.215.105 10000 0
    7511 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.215.121 10000 0
    7512 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.215.238 10000 0
    7513 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.121 10000 0
    7514 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.14 10000 0
    7515 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.15 10000 0
    7516 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.159 10000 0
    7517 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.170 10000 0
    7518 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.178 10000 0
    7519 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.193 10000 0
    7520 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.203 10000 0
    7521 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.220 10000 0
    7522 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.234 10000 0
    7523 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.242 10000 0


    What is this? Hack attempt?

  4. #4
    Join Date
    Jan 2008
    Posts
    42
    I'd say yes, the mycnf looks to be scanning ip ranges. before you killall attempt to look in the /proc dir as to the location of the infection.

  5. #5
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    Do this

    lsof -pid | grep cwd
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  6. #6
    Here is a list of all in the /proc/
    Does anything look like a trojan? Thanks!
    -----------------------------
    1 16242 16808 20338 27863 508 6338 8 fb
    10 16258 16809 20341 28420 509 6356 8142 filesystems
    1087 16596 16810 20344 28434 51 6407 8864 fs
    11 16607 16811 20346 28607 515 6511 9 ide
    11964 16612 16812 20347 28615 516 6522 9081 interrupts
    12 16613 16813 20350 28932 517 6523 9323 iomem
    12294 16620 16814 20352 28963 518 6559 9349 ioports
    12805 16621 16815 20353 2907 52 6585 9353 irq
    13 16622 16816 20355 29232 5233 6586 9354 kallsyms
    14 16623 16817 20359 3 53 6587 9595 kcore
    14339 16633 16818 20361 3111 534 6588 9596 keys
    1447 16635 16819 20762 3115 54 6589 9597 key-users
    14636 16636 16820 21124 31168 55 6590 9634 kmsg
    14637 16638 17269 21289 3128 5902 6591 9639 loadavg
    1467 16745 17286 21506 3140 5925 6592 9642 locks
    14674 16751 17503 222 31452 5941 6593 9819 mc
    14687 16756 17504 22230 31528 5964 6602 9820 mdstat
    14731 16768 17820 22262 31629 5994 6618 9821 meminfo
    15 16773 18477 22265 31710 6 6626 9822 misc
    15156 16774 1877 22271 3213 6007 6675 9823 modules
    15181 16790 19576 22275 3214 6008 6685 9824 mounts
    15210 16791 1973 22276 3215 6014 6696 9825 mpt
    15479 16792 1974 22278 3216 6015 6717 9826 mtrr
    15683 16793 19869 2247 3217 6020 6728 9827 net
    15732 16794 2 2384 3218 6021 6729 9828 partitions
    15736 16795 20312 2385 3219 6026 6730 9867 pci
    15939 16796 20313 2386 32379 6027 6731 9994 scsi
    15969 16797 20315 23863 3249 6097 6732 acpi self
    15970 16798 20316 2387 3258 6121 6733 buddyinfo slabinfo
    15977 16799 20317 2388 3329 6129 6734 bus stat
    15978 16800 20319 2389 3338 6157 7 cmdline swaps
    15980 16801 20324 24616 3341 6181 7051 cpuinfo sys
    16103 16802 20325 25708 4 6198 7133 crypto sysrq-trigger
    16172 16803 20327 26203 478 6202 74 devices sysvipc
    16213 16804 20329 2663 5 6253 75 diskstats tty
    16214 16805 20333 2688 505 6254 76 dma uptime
    16225 16806 20335 26951 506 6269 77 driver version
    16228 16807 20336 27243 507 6295 78 execdomains vmstat

  7. #7
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,953
    Without meaning to offend, Daniel, are you sure you're ready to manage your own server?

    Quote Originally Posted by danielj
    7523 root 0 0 0.1 /usr/bin/perl ./mycnf 24.8.216.242 10000 0


    What is this? Hack attempt?
    If it is, it was successful...the user is root.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  8. #8
    No offense taking, that is why my name has a newbie under it
    We recently were hacked and trying to determine if we still have an exploit?

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Quote Originally Posted by danielj View Post
    We recently were hacked and trying to determine if we still have an exploit?
    Without knowing too much about the situation, it appears that you are still compromised. I'm basing that decision on the fact that the IP scanners are running as root, and I would highly recommend that you contact a server management firm that specializes in security.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •