{"id":5674,"date":"2013-03-19T08:10:17","date_gmt":"2013-03-19T08:10:17","guid":{"rendered":"http:\/\/www.hbyconsultancy.com\/?p=4990"},"modified":"2013-03-19T08:10:17","modified_gmt":"2013-03-19T08:10:17","slug":"fakeproc-your-account-has-been-hacked","status":"publish","type":"post","link":"https:\/\/hbyconsultancy.com\/2013\/03\/fakeproc-your-account-has-been-hacked.html","title":{"rendered":"Fakeproc, Your account has been Hacked !"},"content":{"rendered":"
In less than a month, after migrating to a new server, one of my accounts have been compromised ! The problem that the server goes online with a default configuration, that I wasn\u2019t expecting that dangerous ! And the time to configure it correctly was so long, as it was under attack from day Zero !! Amazing !!<\/p>\n
Now problems began with a high CPU usage of a strange perl script<\/strong> :<\/p>\ntop - 11:52:49 up 7 days, 7:44, 1 user, load average: 24.32, 32.21, 43.65
\nTasks: 191 total, 33 running, 158 sleeping, 0 stopped, 0 zombie
\nCpu(s): 67.2%us, 30.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 2.5%si, 0.0%st
\nMem: 2957096k total, 1704808k used, 1252288k free, 51492k buffers
\nSwap: 2064376k total, 33484k used, 2030892k free, 560352k cached
\nPID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
\n12145 username 20 0 30144 2404 1184 R 3.4 0.1 55:36.48 perl
\n12152 username 20 0 30144 2400 1184 R 3.4 0.1 55:38.94 perl
\n12161 username 20 0 30144 2416 1184 R 3.4 0.1 55:38.34 perl
\n15413 username 20 0 42864 6688 1040 R 3.4 0.2 101:02.36 perl
\n15414 username 20 0 40772 6540 900 R 3.4 0.2 101:02.72 perl
\n15416 username 20 0 42864 6708 1052 R 3.4 0.2 101:02.74 perl
\n1777 username 20 0 31660 3244 524 R 3.1 0.1 0:25.63 perl<\/code><\/p>\n