raphaelfx
(usa Outra)
Enviado em 11/07/2010 - 03:00h
Exato stack_of.
Na string ele tenta redirecionar, mas ele não ta conseguindo por que bloquiei o IP do site deles (acho que é por isso) ou é meu servidor mesmo que não está aceitando.
Ele se utiliza do arquivo criado para tentar infiltrar o código da string.
O problema é, como ele ta criando os arquivos .php?
Segue abaixo o ps -aux:
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 10348 700 ? Ss Jul09 0:03 init [3]
root 2 0.0 0.0 0 0 ? S< Jul09 0:00 [migration/0]
root 3 0.0 0.0 0 0 ? SN Jul09 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S< Jul09 0:00 [watchdog/0]
root 5 0.0 0.0 0 0 ? S< Jul09 0:00 [migration/1]
root 6 0.0 0.0 0 0 ? SN Jul09 0:00 [ksoftirqd/1]
root 7 0.0 0.0 0 0 ? S< Jul09 0:00 [watchdog/1]
root 8 0.0 0.0 0 0 ? S< Jul09 0:00 [events/0]
root 9 0.0 0.0 0 0 ? S< Jul09 0:00 [events/1]
root 10 0.0 0.0 0 0 ? S< Jul09 0:00 [khelper]
root 27 0.0 0.0 0 0 ? S< Jul09 0:00 [kthread]
root 32 0.0 0.0 0 0 ? S< Jul09 0:01 [kblockd/0]
root 33 0.0 0.0 0 0 ? S< Jul09 0:00 [kblockd/1]
root 34 0.0 0.0 0 0 ? S< Jul09 0:00 [kacpid]
root 128 0.0 0.0 0 0 ? S< Jul09 0:00 [cqueue/0]
root 129 0.0 0.0 0 0 ? S< Jul09 0:00 [cqueue/1]
root 132 0.0 0.0 0 0 ? S< Jul09 0:00 [khubd]
root 134 0.0 0.0 0 0 ? S< Jul09 0:00 [kseriod]
root 206 0.0 0.0 0 0 ? S Jul09 0:00 [khungtaskd]
root 209 0.0 0.0 0 0 ? S< Jul09 1:07 [kswapd0]
root 210 0.0 0.0 0 0 ? S< Jul09 0:00 [aio/0]
root 211 0.0 0.0 0 0 ? S< Jul09 0:00 [aio/1]
root 357 0.0 0.0 0 0 ? S< Jul09 0:00 [kpsmoused]
root 388 0.0 0.0 0 0 ? S< Jul09 0:00 [ata/0]
root 389 0.0 0.0 0 0 ? S< Jul09 0:00 [ata/1]
root 390 0.0 0.0 0 0 ? S< Jul09 0:00 [ata_aux]
root 394 0.0 0.0 0 0 ? S< Jul09 0:00 [scsi_eh_0]
root 395 0.0 0.0 0 0 ? S< Jul09 0:00 [scsi_eh_1]
root 402 0.0 0.0 0 0 ? S< Jul09 0:00 [kstriped]
root 415 0.0 0.0 0 0 ? S< Jul09 0:00 [ksnapd]
root 430 0.0 0.0 0 0 ? S< Jul09 1:41 [kjournald]
root 455 0.0 0.0 0 0 ? S< Jul09 0:00 [kauditd]
root 488 0.0 0.0 12672 792 ? S<s Jul09 0:00 /sbin/udevd -d
root 1298 0.0 0.0 0 0 ? S< Jul09 0:00 [kmpathd/0]
root 1299 0.0 0.0 0 0 ? S< Jul09 0:00 [kmpathd/1]
root 1300 0.0 0.0 0 0 ? S< Jul09 0:00 [kmpath_handle]
root 1323 0.0 0.0 0 0 ? S< Jul09 0:00 [kjournald]
root 1568 0.0 0.0 0 0 ? S< Jul09 0:02 [loop0]
root 1569 0.0 0.0 0 0 ? S< Jul09 0:00 [kjournald]
root 1616 0.0 0.0 0 0 ? S< Jul09 0:08 [kondemand/0]
root 1617 0.0 0.0 0 0 ? S< Jul09 0:08 [kondemand/1]
root 1839 0.0 0.0 92884 944 ? S<sl Jul09 0:03 auditd
root 1841 0.0 0.0 81808 992 ? S<sl Jul09 0:00 /sbin/audispd
root 1928 0.0 0.0 5908 608 ? Ss Jul09 0:01 syslogd -m 0
root 1931 0.0 0.0 3804 428 ? Ss Jul09 0:00 klogd -x
dbus 2027 0.0 0.0 21256 908 ? Ss Jul09 0:00 dbus-daemon --s
root 2063 0.0 0.0 3800 576 ? Ss Jul09 0:00 /usr/sbin/acpid
68 2076 0.0 0.1 30780 3836 ? Ss Jul09 0:00 hald
root 2077 0.0 0.0 21692 1048 ? S Jul09 0:00 hald-runner
68 2084 0.0 0.0 12324 844 ? S Jul09 0:00 hald-addon-acpi
root 2122 0.0 0.0 57688 1760 ? Ssl Jul09 0:00 automount
root 2148 0.0 0.0 62624 1216 ? Ss Jul09 0:00 /usr/sbin/sshd
root 2165 0.0 0.0 65940 1284 ? S Jul09 0:00 /bin/sh /usr/bi
mysql 2262 0.4 20.5 860876 416140 ? Sl Jul09 12:04 /usr/sbin/mysql
root 2408 0.1 0.0 0 0 ? S 02:49 0:01 [pdflush]
root 2473 0.0 0.0 93356 1300 ? Ss Jul09 0:00 pure-ftpd (SERV
root 2477 0.0 0.0 91004 960 ? S Jul09 0:00 /usr/sbin/pure-
root 2490 0.0 0.0 74824 1192 ? Ss Jul09 0:00 crond
root 2689 0.0 0.3 35348 6092 ? S Jul09 0:05 queueprocd - wa
root 2699 0.0 0.4 45984 9192 ? S Jul09 0:05 tailwatchd
root 2702 0.0 0.1 26136 2228 ? SN Jul09 0:00 cpanellogd - sl
root 3016 0.0 0.4 99352 8656 ? Ss Jul09 0:00 /usr/sbin/munin
root 3141 0.0 1.8 118716 37932 ? S Jul09 0:00 cPGSD/0.7.3
root 3325 0.0 0.0 18416 580 ? S Jul09 0:00 /usr/sbin/smart
root 3328 0.0 0.0 3792 484 tty1 Ss+ Jul09 0:00 /sbin/mingetty
root 3329 0.0 0.0 3792 484 tty2 Ss+ Jul09 0:00 /sbin/mingetty
root 3332 0.0 0.0 3792 484 tty3 Ss+ Jul09 0:00 /sbin/mingetty
root 3337 0.0 0.0 3792 480 tty4 Ss+ Jul09 0:00 /sbin/mingetty
root 3339 0.0 0.0 3792 484 tty5 Ss+ Jul09 0:00 /sbin/mingetty
root 3345 0.0 0.0 3792 484 tty6 Ss+ Jul09 0:00 /sbin/mingetty
root 3552 0.0 0.0 0 0 ? S 02:51 0:00 [pdflush]
root 3640 0.0 0.0 11560 688 ? Ss Jul09 0:00 /usr/local/cpan
root 3643 0.0 0.0 11560 692 ? Ss Jul09 0:00 /usr/local/cpan
root 3650 0.0 0.0 11560 688 ? Ss Jul09 0:00 /usr/local/cpan
root 3654 0.0 0.0 11604 852 ? Ss Jul09 0:05 /usr/local/cpan
root 4894 0.0 0.4 51404 9604 ? S 02:55 0:00 tailwatchd
root 4903 0.0 0.2 34184 5176 ? S 02:55 0:00 /scripts/restar
root 4904 0.0 0.0 11120 744 ? S 02:55 0:00 /usr/bin/spamc
munin 6993 0.0 0.0 104088 1588 ? S 03:00 0:00 crond
munin 7002 0.0 0.0 8700 952 ? Ss 03:00 0:00 /bin/sh /usr/bi
munin 7003 0.0 0.4 88556 8436 ? S 03:00 0:00 /usr/local/bin/
munin 7012 0.0 0.3 90648 7380 ? S 03:00 0:00 /usr/share/muni
root 7429 0.0 0.0 3792 220 ? S 03:00 0:00 /usr/sbin/couri
root 7430 0.0 0.0 7988 540 ? S 03:00 0:00 /usr/lib/courie
root 7436 0.0 0.0 3792 220 ? S 03:00 0:00 /usr/sbin/couri
root 7437 0.0 0.0 7988 544 ? S 03:00 0:00 /usr/lib/courie
root 7442 0.0 0.0 3792 324 ? S 03:00 0:00 /usr/sbin/couri
root 7443 0.0 0.0 7988 556 ? S 03:00 0:00 /usr/lib/courie
root 7454 0.0 0.0 3792 216 ? S 03:00 0:00 /usr/sbin/couri
root 7455 0.0 0.0 7988 540 ? S 03:00 0:00 /usr/lib/courie
root 7462 0.0 0.0 3792 324 ? S 03:00 0:00 /usr/sbin/couri
root 7463 0.0 0.0 14396 684 ? S 03:00 0:00 /usr/libexec/co
root 7464 0.0 0.0 14396 180 ? S 03:00 0:00 /usr/libexec/co
root 7465 0.0 0.0 14396 180 ? S 03:00 0:00 /usr/libexec/co
root 7466 0.0 0.0 14396 180 ? S 03:00 0:00 /usr/libexec/co
root 7467 0.0 0.0 14396 180 ? S 03:00 0:00 /usr/libexec/co
root 7468 0.0 0.0 14396 392 ? S 03:00 0:00 /usr/libexec/co
root 7647 0.0 0.4 51404 9600 ? S 03:00 0:00 tailwatchd
root 7652 0.0 0.2 34184 5180 ? S 03:00 0:00 /scripts/restar
root 7653 0.3 1.0 165304 21128 ? Ss 03:00 0:00 /usr/local/apac
root 7654 0.0 0.0 11120 680 ? S 03:00 0:00 /usr/bin/spamc
root 7662 0.0 0.3 44408 7680 ? S 03:00 0:00 /usr/local/cpan
root 7669 0.0 0.6 149248 12692 ? S 03:00 0:00 /usr/local/apac
nobody 7673 0.0 0.7 165304 16088 ? S 03:00 0:00 /usr/local/apac
nobody 7674 0.0 0.7 165304 16080 ? S 03:00 0:00 /usr/local/apac
nobody 7675 0.0 0.7 165304 16080 ? S 03:00 0:00 /usr/local/apac
nobody 7676 0.0 0.7 165304 16080 ? S 03:00 0:00 /usr/local/apac
nobody 7677 0.0 0.7 165304 16080 ? S 03:00 0:00 /usr/local/apac
root 7808 0.0 0.2 28852 4152 ? S 03:01 0:00 /etc/authlib/au
mailnull 8224 0.0 0.0 64328 1116 ? Ss 03:01 0:00 /usr/sbin/exim
root 8233 0.0 0.1 64324 2024 ? S 03:01 0:00 /usr/sbin/exim
root 8235 0.0 0.1 65660 3556 ? S 03:01 0:00 /usr/sbin/exim
root 8247 1.9 2.2 113064 44532 ? Ss 03:01 0:00 /usr/bin/spamd
mailnull 8257 0.0 0.1 66540 2032 ? S 03:01 0:00 /usr/sbin/exim
root 8305 0.0 0.2 65668 4420 ? Ss 03:01 0:00 /usr/sbin/exim
root 8443 0.1 0.1 92168 3272 ? Ss 03:01 0:00 sshd: root@pts/
root 8466 0.0 0.6 86832 12948 ? S 03:01 0:00 cpsrvd - waitin
root 8467 0.2 0.0 0 0 ? Zs 03:01 0:00 [bui] <defunct>
root 8496 0.0 2.1 113064 43208 ? S 03:01 0:00 spamd child
root 8498 0.0 2.1 113064 43192 ? S 03:01 0:00 spamd child
root 8504 0.0 0.0 66204 1588 pts/0 Ss 03:01 0:00 -bash
root 8529 0.0 0.4 52324 9428 ? Ss 03:01 0:00 cpsrvd: interna
root 8567 0.0 0.0 3780 452 ? SN 03:01 0:00 /usr/local/cpan
root 8568 0.0 0.0 3780 176 ? TNs 03:01 0:00 /usr/local/cpan
root 8598 0.0 0.0 65604 976 pts/0 R+ 03:02 0:00 ps -aux
root 20474 0.0 0.2 36232 4648 ? SNs 01:00 0:00 /scripts/cpback
named 31079 0.0 0.4 168588 8580 ? Ssl Jul10 0:03 /usr/sbin/named
Alguém saberia dizer o que significa o attacker que aparece nos messages? Lá no meu tópico inicial onde eu citei a URL tem o "attacker" e cada hora aparece um IP ali.
Obrigado a todos !!!