[mythtv-users] OT. Have I been hacked? IRCD?

mark at onnow.net mark at onnow.net
Mon Dec 13 23:03:34 UTC 2004

Really sorry for the way OT subject, but I am trying to determine this ASAP and
people here strike me as pretty knowledgable and I am running out of ideas:

In addition to being a MythTV box.....

I have been experiencing high load 3.00 ( .5 is normal ) for 3 days.  This is
being used as a web server.  When I run top I see:

17513 apache    25   0  2504  872   672 R    96.7  0.1  3591m   1 perl
 4883 apache    25   0  2528  896   676 R    71.3  0.1  3575m   0 perl

So there are two perl processes that are maxing the CPUs.

When I run: lsof -i |grep perl
I get:
perl       4883  apache    3u  IPv4      2624       TCP *:http (LISTEN)
perl       4883  apache    4u  IPv4      2626       TCP *:https (LISTEN)
perl       4883  apache  124u  IPv4 193039277       TCP
onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED)
perl      17513  apache    3u  IPv4      2624       TCP *:http (LISTEN)
perl      17513  apache    4u  IPv4      2626       TCP *:https (LISTEN)
perl      17513  apache  124u  IPv4  65252685       TCP
oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED)

So I have a connection to an irc daemon.  

I have grepped the web content directory for ircd and not found anything.
ps -ef |grep ircd gets nothing.
I also cant seem to locate a perl script that is causing this.
So can anyone offer some help here?  How can I check this further.  I want to
nail down the user ( web user I hope ) that is running this.

Thank you

This message was sent using IMP, the Internet Messaging Program.

More information about the mythtv-users mailing list