# Help! I'm being exploited via httpd!



## digitsix (Feb 17, 2009)

This is more than a system question than an apache question + most system admins here are probably running apache and would be able to help me even if it was more apache >:]

Anyway I have this problem where there is, from what I can gather a vulnerable perl script somewhere on my system. My hosting provider just throttled my nic on my server down to 10mbps because of an unusual high network load that started a few days ago.

I logged into my system and checked netstat. And saw two unusual connections to a spoof host ending in .ircd - I then ran top and saw two perl processes hogging most of the cpu with execution times in the hundreds of minutes. I grabbed the pids and ps'ed them and saw that the perl process whas being forked by httpd. I tried cross checking my logs with the process start time and was out of luck becuase my log was purged since they started.

Is there anyway i can use the process id to track what script exactly, httpd is running? I'm at a loss here.


----------

