Jump to content
Sign in to follow this  
AccessDenied

Suspicious running process

Recommended Posts

So.. I was doing routine maintenance on my linux server when I noticed 1 process name OVER and OVER.

 

hanzo4 is the name of the process. Futhermore, I noticed open sockets to an IP that identifies itself as "RIPE Network Coordination Centre".

 

Google so far has turned up ONE result that is useful and it was in German.

 

Any suggestions?

 

Checking log files now.

 

AD

 

OK.. It's now a 'forensic' question.

 

I've managed to eliminate the process and stop it doing its work.

 

Nothing in the logs (nothing useful anyways)

 

hrrrmm..

 

AD

Share this post


Link to post
Share on other sites

yeah.. Was in /tmp And the name of the binary was hanzo4.

 

When I managed to stop the process the binary was *pfft* gone.

 

Quite interesting really. Appears to tidy up after itself quite well.

 

I've just changed my security settings arounds a little and upgraded my root password (Was a little simple earlier. My bad.. Now it's not so simple).

 

Reduced privelages allowed to user.

 

And blocked the ports that it was communicating out on.

 

That'll keep me covered for now. But I think I'll do a paranoid monitor of my processes for the next few days.

 

AD

Share this post


Link to post
Share on other sites

Maybe use a rootkit checker, like chrootkit?

 

If it happens again, list the processes in tree format to see if it was started by another process?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×