Le 12989ième jour après Epoch, Nejc Novak écrivait: > i checked crontabs and i haven't found anything. but new processess started > > www-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00 > /tmp/dlciiqlno x > www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh] > <defunct> > www-data 6770 0.0 0.1 1624 608 ? S 22:10 0:00 [bdflu > > and new connections were opened > > Active Internet connections (w/o servers) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 193.77.81.144:33276 210.169.91.66:5454 > ESTABLISHED > tcp 0 0 193.77.81.144:33281 193.201.53.88:6667 > ESTABLISHED > > Once again, /tmp/dcliiqlno doesn't exist... where is this exec file, > because i would really like to know what exactly it does.. and what is > bdflu?
Easy to do. The exec prog remove himself. Try "lsof -p <hackprocessid>" and you probably see a "deleted" file. The process probably restarted because of a corrupted command. For example, ls or ps are corrupted, so they create /tmp/xxxx, run it and delete it. > I still haven't managed to find out how exactly this happened. And > probably reinstall will be needed? What do you think? First of all, you must unplug the machine. Second, reinstall it. If you have important data, just backup it, but *only* data!
