strange program running

I've seen this program running twice now after running "ps -ef"

./rs.zip

It's running as my webserver user, and the file rs.zip does not seem to exist anywhere. Is there a way of telling the directory that it's running in? Or another way to find more information out?

I can't seem to find anything on the web.

 

The only thing i could come up with is this:

rs.zip - Random signature - generates a random file from constant and dynamic files (random email signatures)

http://216.239.59.104/search?q=cach...et/vb/vbmisc/index6.shtml+rs.zip+server&hl=en

Number 114. I have download the file and it contains three files. You might want to have a look at those.

 

thanks sarah! so far, I've found nothing, but I have seen backdoors like that before. That's why I don't use redhat anymore (nothing against RH, but I couldn't upgrade to 9 because of some software requirements and they no longer produce patches for the version I used to run)

 

find / -name rs.zip -print

should find it if it is in your file system. If you don't find it that way, it is likely that you got hacked. I have had a few systems hacked and they put all sorts of little goodies in hidden directories.

 

I tried that. Last time I had a situation like that, I found an apache install hidden in the /dev directory. This time, I can't find a thing.

I killed the process, and I haven't been seen it running since.

I'm wondering if it was a leftover from my movable type 3.14 problem. I caught someone spamming from my machine, destroyed the cgi's from that install, and haven't seen anything since. The date on the rs.zip process was from before I cleaned the MvType issue. I'll post again if I see it again. I just checked and everything was clean. (hopefully they haven't taken steps to hide it, but I've been on the server constantly, so I would have noticed if they recompiled the kernel. I learned from last time too... No sources on the server that aren't absolutely necessary, and I uninstall gcc and install it only when I need it - that way, nothing can compile on the server unless they find a way to install gcc. It's not fool proof, but it slows things down a lot and since I actually do watch the server regularly, and have mrtg graphs for cpu utilization, etc. I feel pretty comfortable. No spikes in bandwidth or cpu utilization or mail since I killed this process.

 

Sometimes you can tell what the file does by checking the kind of text it has inside. Locate the file on the hard drive and run this command:

strings rs.zip

J.D.

 

find doesn't find anything for me. thanks for the tip on strings though - I didn't know about that one.

 

Do you have "lsof" on your system? If not, you can get the source from ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ and build it yourself.

An introduction can be found at http://www.akadia.com/services/lsof_intro.html

The output is not for the faint of heart but it should show you the full path of the file next time you see it run, as well as any files or network connections the program is using. Also, if it is a worm, knowing where it is connecting might help you track it back to its source.

 

thanks ziandra! Exactly what I needed!