Hi Sven, Sven 'Darkman' Michels schrieb:
looks like a backdoor. Check if any port is open on your box who souldn't be there.
The standard security-check mailed me: * Changes (+: new entries, -: removed entries): + bi wwwrun TCP *:4000 (LISTEN) + bi wwwrun TCP *:443 (LISTEN) + bi wwwrun TCP *:80 (LISTEN) It looks like a second process is listening at 443/80 -- because apache incl. ssl worked fine.
Whats about Apache? up-to-date? php? OpenSSL? all those where exploitable in the last month and your kernel looks like an default kernel from 7.3, if you update it, you should have at least 2.4.16-4GB. Also try chkrootkit -> www.chkrootkit.org if it will found something susperious, remove the box from the network and trust non of the data you've on it.
I'm working on that -- I thought, maybe there are detailed informations out in the field about the type of backdoor and the way he got in. Thanks for help. Regards, Dirk