[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: worm -root



Quoting Steve Sykes <ssykes emirates net ae>:

>     When I do a ps -ax, I see the job  "13037 ? RN 0:00 worm -root". 
>  What does this mean?
No idea, although there are some games called worm. But you should know whether
you are running them at the moment ;-)
Well,
you probably do not have any forensic tools installed on your machine and no
experience in doing this. 
Depending on the value of the machine and the surrounding network you might want
to look for professional help coming into your place.

If not, lets do a little bit forensics ourself:

you might want to check if the executable is still on the computer:
ls -l /proc/13037/exe

Next, lets see which files the process accesses:
lsof -p 13037

This should give some hints.
Be careful if the process uses deleted files. As soon as you kill the process
the files will be gone.
You might want to save the executable and any used files in a secure place for
later investigation. Tell me if you need more help.

Ralf

> 
> Regards,
> Steve Sykes
> 
> 
> 
> 
> _______________________________________________
> enigma-list mailing list
> enigma-list redhat com
> https://listman.redhat.com/mailman/listinfo/enigma-list
> 



Written using Webmail

Ralf Spenneberg
MCSE+I, MCT, RHCE, RHCX, LCP, Linux-Consultant
Waldring 34				48565 Steinfurt
Fon: +49(0)2552 638 755			Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40		http://www.spenneberg.com/.net/.org/.de





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]