RE: Have I been Hacked (Part 1)
Thank you for your response. I have now run those checks as you requested. On inspection, I can not see anything out of the ordinary. The results are below (Part 1).
Thanks again for your time.
#grep -i news /etc/passwd
Result: news:x:0:0:news:/etc/news:/bin/bash
#ls -al /etc/tmp
Result: /bin/ls: /etc/tmp: No such file or directory
#ps aux --forest
Result:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 3432 460 ? S 10:06 0:01 init [3]
root 2 0.0 0.0 0 0 ? SWN 10:06 0:00 [ksoftirqd/0]
root 3 0.0 0.0 0 0 ? SW< 10:06 0:00 [events/0]
root 4 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [khelper]
root 16 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [kacpid]
root 96 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [kblockd/0]
root 158 0.0 0.0 0 0 ? SW 10:06 0:00 \_ [pdflush]
root 159 0.0 0.0 0 0 ? SW 10:06 0:00 \_ [pdflush]
root 161 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [aio/0]
root 104 0.0 0.0 0 0 ? SW 10:06 0:00 [khubd]
root 160 0.0 0.0 0 0 ? SW 10:06 0:00 [kswapd0]
root 254 0.0 0.0 0 0 ? SW 10:06 0:00 [kseriod]
root 445 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1104 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1105 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1106 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1107 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1108 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1994 0.0 0.1 2972 572 ? S 10:07 0:00 syslogd -m 0
root 1998 0.0 0.0 2440 444 ? S 10:07 0:00 klogd -x
root 2041 0.0 0.1 3380 560 ? S 10:07 0:00 rpc.idmapd
root 2120 0.0 0.1 2772 744 ? S 10:07 0:00 /usr/sbin/smartd
root 2129 0.0 0.0 2140 460 ? S 10:07 0:00 /usr/sbin/acpid
named 2139 0.0 0.7 37768 3860 ? S 10:07 0:02 /usr/sbin/named -u named
root 2167 0.0 0.2 5192 1296 tty8 S 10:07 0:00 /bin/bash
root 2233 0.0 0.2 4464 1452 ? S 10:07 0:00 /usr/sbin/sshd
root 8886 0.0 0.4 8292 2232 ? S 11:34 0:00 \_ sshd:
[email protected]/0
root 8907 0.1 0.2 4444 1380 pts/0 S 11:34 0:00 \_ -bash
root 9603 0.0 0.1 3196 748 pts/0 R 11:44 0:00 \_ ps aux --forest
root 2246 0.0 0.1 3356 828 ? S 10:07 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 2264 0.0 1.9 14792 9788 ? S 10:07 0:00 chkservd
mailnull 2338 0.0 0.3 7536 1668 ? S 10:07 0:00 /usr/sbin/exim -bd -q60m
mailnull 8109 0.0 0.8 8488 4176 ? S 11:21 0:00 \_ /usr/sbin/exim -bd -q60m
mailnull 9103 0.0 0.6 8344 3452 ? S 11:36 0:00 \_ /usr/sbin/exim -bd -q60m
mailnull 2343 0.0 0.3 7520 1612 ? S 10:07 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
root 2348 0.1 0.3 5436 1676 ? S 10:07 0:10 antirelayd
root 2359 1.3 3.0 48604 15688 ? S 10:07 1:16 /usr/sbin/clamd
root 2361 0.0 5.1 28272 26056 ? S 10:07 0:02 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/sp
root 2482 1.0 6.2 34004 31820 ? S 10:07 0:58 \_ spamd child
root 2488 0.0 5.4 30036 27788 ? S 10:07 0:03 \_ spamd child
root 2384 0.0 1.5 16272 7900 ? S 10:07 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 2428 0.1 3.8 27480 19680 ? S 10:07 0:10 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2429 0.1 3.8 27476 19740 ? S 10:07 0:09 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2430 0.1 3.9 28084 20248 ? S 10:07 0:10 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2431 0.1 3.8 27448 19652 ? S 10:07 0:11 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2432 0.2 3.9 27900 19940 ? S 10:07 0:16 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2670 0.2 3.9 27892 20052 ? S 10:07 0:15 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2706 0.0 3.1 24164 16204 ? S 10:08 0:05 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2716 0.1 4.0 28724 20824 ? S 10:08 0:09 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2717 0.1 3.2 24224 16524 ? S 10:08 0:06 \_ /usr/local/apache/bin/httpd -DSSL
nobody 4580 0.1 3.2 24296 16428 ? S 10:29 0:06 \_ /usr/local/apache/bin/httpd -DSSL
root 2400 0.0 0.1 2776 644 ? S 10:07 0:00 crond
root 2418 0.0 0.2 4884 1168 ? S 10:07 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-fil
mysql 2468 0.2 3.8 107520 19536 ? S 10:07 0:15 \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --use
mailnull 2641 0.0 1.2 10896 6496 ? S 10:07 0:00 eximstats
root 2691 0.0 0.3 7140 1752 ? S 10:08 0:00 pure-ftpd (SERVER)
root 2696 0.0 0.1 6172 636 ? S 10:08 0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureaut
root 2709 0.0 1.6 11932 8380 ? SN 10:08 0:03 cpanellogd - sleeping for logs
root 2755 0.0 2.2 13972 11356 ? S 10:08 0:02 cppop - accepting on port 110 and 995
dunbarc 9599 2.0 2.2 13992 11404 ? S 11:44 0:00 \_ cppop - serving 165.146.229.49 - TRANSACTION -
[email protected]
root 9600 0.0 2.2 13980 11368 ? S 11:44 0:00 \_ cppop - serving 165.146.196.61 - AUTHORIZATION
inkprint 9601 4.0 2.2 13992 11404 ? S 11:44 0:00 \_ cppop - serving 66.110.111.170 - TRANSACTION -
[email protected]
brookesh 9602 4.0 2.2 13992 11408 ? S 11:44 0:00 \_ cppop - serving 66.110.74.174 - TRANSACTION -
[email protected]
nobody 2762 0.0 0.5 5724 2860 ? S 10:08 0:00 entropychat
root 2763 0.0 2.9 17580 14804 ? S 10:08 0:00 cpsrvd - waiting for connections
nobody 2772 0.0 0.1 1688 560 ? S 10:08 0:00 /usr/local/cpanel/bin/startmelange
cpanel 2824 0.0 0.3 4536 1664 ? S 10:08 0:00 /usr/bin/stunnel-4.15local /usr/local/cpanel/etc/stunnel/defaul
dbus 2852 0.0 0.1 2240 808 ? S 10:08 0:00 dbus-daemon-1 --system
root 2907 0.0 0.0 1492 468 ? S 10:08 0:00 /usr/sbin/portsentry -tcp
postgres 2946 0.0 0.3 19356 2000 ? S 10:08 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres 2954 0.0 0.3 10156 1788 ? S 10:08 0:00 \_ postgres: stats buffer process
postgres 2955 0.0 0.3 9164 1824 ? S 10:08 0:00 \_ postgres: stats collector process
root 2957 0.0 0.0 1600 324 ? S 10:08 0:00 mdadm --monitor --scan
root 2964 0.0 0.0 3300 340 tty1 S 10:08 0:00 /sbin/mingetty tty1
root 2965 0.0 0.0 2168 344 tty2 S 10:08 0:00 /sbin/mingetty tty2
root 2966 0.0 0.0 2900 344 tty3 S 10:08 0:00 /sbin/mingetty tty3
root 2967 0.0 0.0 1740 344 tty4 S 10:08 0:00 /sbin/mingetty tty4
root 2968 0.0 0.0 2216 344 tty5 S 10:08 0:00 /sbin/mingetty tty5
root 2969 0.0 0.0 1656 344 tty6 S 10:08 0:00 /sbin/mingetty tty6