The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server hacked or "wormed" or "trojaned" ?

Discussion in 'General Discussion' started by duranduran, Aug 19, 2005.

  1. duranduran

    duranduran Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Hi, i found this in TOP:

    23:18:31 up 3:18, 3 users, load average: 7.87, 7.95, 7.82
    160 processes: 145 sleeping, 11 running, 4 zombie, 0 stopped
    CPU states: cpu user nice system irq softirq iowait idle
    total 83.6% 0.0% 14.9% 0.7% 0.7% 0.0% 0.0%
    Mem: 502292k av, 488280k used, 14012k free, 0k shrd, 16596k buff
    367040k actv, 70028k in_d, 6648k in_c
    Swap: 2048276k av, 313328k used, 1734948k free 164504k cached

    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
    10439 nobody 25 0 3512 1872 1648 R 17.8 0.3 33:57 0 /usr/sbin/http/box
    10472 nobody 25 0 3512 1872 1648 R 17.8 0.3 33:44 0 /usr/sbin/http/box
    10511 nobody 25 0 3516 1876 1648 R 17.8 0.3 33:44 0 /usr/sbin/http/box
    10560 nobody 25 0 3516 1868 1648 R 16.7 0.3 33:20 0 /usr/sbin/http/box

    what is /usr/sbin/http/box ? This file/path dont exist in this server.
    This is a virus/backdoor ?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Probably. You need to check the files open by that process and investigate further. If you don't know how, then you'll need to hire a server admin to sort it out for you. A starting point:

    lsof -p PID
     
Loading...

Share This Page