Home > Ask the Enterprise Linux Experts > Questions & Answers > Determining process locations on a compromised server
Ask The Enterprise Linux Expert: Questions & Answers
EMAIL THIS

Determining process locations on a compromised server

Don Becker EXPERT RESPONSE FROM: Don Becker

Pose a Question
Other Enterprise Linux Categories
Meet all Enterprise Linux Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 17 August 2006
We suddenly have hundreds of processes called "brute" running on our Penguin server. What this could be?

>

I'm not sure what the problem could be but it's likely bad. My guess is that your machine has been compromised, and the processes are running a "brute force" password guessing program or attacks against other machines.

The safest solution is to save your applications and data, and start with a freshly installed Linux distribution on a new machine.

In the meantime, you can get an idea of what is running and where the program is located by looking at the /proc entry for one of the processes. Use the 'top' or 'ps' programs to find the process ID (PID)of a 'brute'. Then, look in /proc//maps to find where the executable is located. 

root# ps ax | grep brute | head -10
26235 ?        Ss     0:00 /tmp/.../.brute
  ...
root# cat /proc/26235/maps
00b31000-00b4a000 r-xp 00000000 03:0a 612182     /lib/ld-2.4.so
00b4a000-00b4b000 r-xp 00018000 03:0a 612182     /lib/ld-2.4.so
00b4b000-00b4c000 rwxp 00019000 03:0a 612182     /lib/ld-2.4.so
00b4e000-00c7b000 r-xp 00000000 03:0a 612183     /lib/libc-2.4.so
...
08047000-08052000 r-xp 00000000 03:0a 614274     /tmp/.../.brute
08052000-08053000 rw-p 0000b000 03:0a 614274     /tmp/.../.brute


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
Heartbeat  (SearchEnterpriseLinux.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Linux Migration Advice: Unix-to-Linux, Windows-to-Linux
HomeNewsTopicsITKnowledge ExchangeTipsBlogsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts