by Hi,
I've posted som messages two weeks ago about strange outgoing packets
(with local IPs 127.x.x.x but never 127.0.0.1 and seemly random
destination addresses).
I didn't had this during some few days but now it happens again every
evening (never at the same time).
Trying to find what occurs, I run tcpdump all the night and netstat and
ps every 5 minutes. I can't see anything but normal operations with
netstat and tcpdump. But ps gives me strange things :
0 1 0 0 ? -1 S 0 0:05 init
1 5 1 1 ? -1 SW 0 0:23 (kswapd)
1 353 63 63 ? -1 S 0 0:00 (kswapd)
353 16323 63 63 ? -1 S 0 0:01 httpd
353 16324 63 63 ? -1 S 0 0:01 httpd
353 16325 63 63 ? -1 S 0 0:01 httpd
353 16326 63 63 ? -1 S 0 0:01 httpd
353 16327 63 63 ? -1 R 0 0:01 httpd
353 16328 63 63 ? -1 R 0 0:01 httpd
353 16329 63 63 ? -1 S 0 0:01 httpd
353 16330 63 63 ? -1 S 0 0:01 httpd
353 16331 63 63 ? -1 S 0 0:01 httpd
353 16332 63 63 ? -1 S 0 0:01 httpd
353 16333 63 63 ? -1 S 0 0:01 httpd
353 16334 63 63 ? -1 S 0 0:01 httpd
353 16335 63 63 ? -1 S 0 0:00 httpd
353 16336 63 63 ? -1 S 0 0:01 httpd
353 16337 63 63 ? -1 S 0 0:00 httpd
353 16338 63 63 ? -1 S 0 0:00 httpd
353 16339 63 63 ? -1 S 0 0:00 httpd
353 16340 63 63 ? -1 S 0 0:00 httpd
353 16341 63 63 ? -1 S 0 0:00 httpd
353 16342 63 63 ? -1 S 0 0:00 httpd
353 16343 63 63 ? -1 S 0 0:01 httpd
353 16344 63 63 ? -1 R 0 0:00 httpd
353 16345 63 63 ? -1 R 0 0:01 httpd
353 16346 63 63 ? -1 R 0 0:00 httpd
353 16347 63 63 ? -1 S 0 0:00 httpd
353 16348 63 63 ? -1 S 0 0:00 httpd
353 16349 63 63 ? -1 S 0 0:00 httpd
353 16350 63 63 ? -1 S 0 0:01 httpd
353 16351 63 63 ? -1 S 0 0:00 httpd
353 16352 63 63 ? -1 S 0 0:00 httpd
353 16353 63 63 ? -1 S 0 0:00 httpd
353 16354 63 63 ? -1 S 0 0:00 httpd
353 16355 63 63 ? -1 S 0 0:01 httpd
353 16356 63 63 ? -1 S 0 0:01 httpd
353 16357 63 63 ? -1 S 0 0:00 httpd
353 16358 63 63 ? -1 S 0 0:01 httpd
353 16359 63 63 ? -1 S 0 0:02 httpd
353 16360 63 63 ? -1 S 0 0:02 httpd
353 16361 63 63 ? -1 S 0 0:00 httpd
353 16362 63 63 ? -1 S 0 0:01 httpd
353 16363 63 63 ? -1 S 0 0:01 httpd
353 16364 63 63 ? -1 S 0 0:00 httpd
353 16365 63 63 ? -1 S 0 0:00 httpd
353 16366 63 63 ? -1 S 0 0:01 httpd
353 16367 63 63 ? -1 S 0 0:01 httpd
353 16368 63 63 ? -1 S 0 0:01 httpd
353 16369 63 63 ? -1 S 0 0:02 httpd
353 16370 63 63 ? -1 S 0 0:02 httpd
353 16371 63 63 ? -1 S 0 0:01 httpd
353 16372 63 63 ? -1 S 0 0:02 httpd
353 16373 63 63 ? -1 S 0 0:01 httpd
1 318 318 318 ? -1 S 0 1:21
/usr/local/apache/sbin/httpd
318 16225 318 318 ? -1 S 99 0:00
/usr/local/apache/sbin/httpd
So, as you can see, I have a normal httpd daemon (apache) that runs as
user nobody and a lot of strange httpd entries that run as root and that
take far less memory than the normal daemon.
Normal httpd daemons are launched by process 318 but non normal httpd
are launched by... 353 which is... kswapd !!!
And I have two kswapd processes (launched by init). Is it normal with a
2.2.12 kernel ??? kswapd isn't supposed to launch processes isn't it ???
Could someone with a 2.2.12 kernel send me the result of a ps ?
Could it be a kind of trojan ?
Thanks for any help.
Fabrice.