[BlueOnyx:05492] Re: Cced hangs, admsrv & httpd down @ 4am

[Jeff Jones]

Hmm - just mysql.sock, yum.check-update & yum.update

I think had this thing been hacked - it would be all over now!

This has happened a few times before, the last time was 3 or 4 months ago. The thing that it a bit worrying is that I only restarted this box at the weekend - so it's not something which has been lurking around for a while..

Cheers,

Jeff

On 28 Sep 2010, at 16:44, Gerald Waugh wrote:

> 
> On Tue, 2010-09-28 at 16:19 +0100, Jeff Jones wrote:
>> Just thought I would post an update to this issue.
>> 
>> After going through the monitoring system - I have noticed that from 4pm yesterday, this BX box had been generating two new 'mystery processes' every 15 minutes - which did not die.
>> 
>> So at 4pm there were 113 processes (that the box seems to run most of the time).
>> 
>> By 4am this morning - this had risen, 2 every 15 mins, in an almost totally linear fashion, to 232 running processes. 
>> 
>> At this point Cceed, HTTP & AdmServ died, but the server carried on spawning processes - until I restarted the entire server.
>> 
>> I guess had I looked at exactly what processes were running before I restarted - I might have got a clue as to the cause - something to remember for next time.
>> 
>> I have gone back to 4pm in the messages log, and again nothing much in there.....
>> 
>> Any suggestions of where else to look?
>> 
> 
> what's in /tmp
> recently worked on a hacked server
> had ICEICE, nc and nc.1 in /tmp
> 
>> 
>> Gerald
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx