{"id":39,"date":"2009-01-10T09:00:11","date_gmt":"2009-01-10T14:00:11","guid":{"rendered":"http:\/\/littlesvr.ca\/grumble\/?p=39"},"modified":"2012-12-05T00:54:19","modified_gmt":"2012-12-05T05:54:19","slug":"hacked-part-1-the-surprise","status":"publish","type":"post","link":"http:\/\/littlesvr.ca\/grumble\/2009\/01\/10\/hacked-part-1-the-surprise\/","title":{"rendered":"Hacked! Part 1 – The Surprise"},"content":{"rendered":"

On thursday evening I had a couple of hours to spare, so I’ve SSHed to my server (yours truly littlesvr.ca) to get the Apache logs from the last couple of months. I do this now and then because I like seing the ammount of traffic going up every month. But this time it was not going to be a gratifying experience. The first command I ran was (as usual) ‘ls’:<\/p>\n

andrew@littlesvr:\/$ ls\r\n\/bin\/ls: unrecognized prefix: do\r\n\/bin\/ls: unparsable value for LS_COLORS environment variable\r\nbin\/\u00a0\u00a0\u00a0 dev\/\u00a0\u00a0\u00a0 home\/\u00a0\u00a0 media\/\u00a0 opt\/\u00a0\u00a0\u00a0 root\/\u00a0\u00a0 srv\/\u00a0\u00a0\u00a0 sys\/\u00a0\u00a0\u00a0 usr\/\r\nboot\/\u00a0\u00a0 etc\/\u00a0\u00a0\u00a0 lib\/\u00a0\u00a0\u00a0 mnt\/\u00a0\u00a0\u00a0 proc\/\u00a0\u00a0 sbin\/\u00a0\u00a0 svn\/\u00a0\u00a0\u00a0 tmp\/\u00a0\u00a0\u00a0 var\/<\/pre>\n
A second of confusion, but I knew then and there my box has been hacked. You see I’m running Slackware because weird crap like this (‘ls’ broken) doesn’t happen on Slackware, and though I denied it for a few minutes (oh maybe it’s a terminal problem, oh maybe I deleted something by mistake) soon enough I’ve had ample evidence. I’ve looked at \/bin\/ls in ‘vi’, which opens binaries as a hex editor. Didn’t see anything obviously wrong there. I’ve examined all the profile files, and those all looked normal. I grepped everything I could think of for ‘do’, and didn’t find a problem. Then I had a look at \/var\/log\/messages, and found lots and lots of lines of the form:<\/p>\n
Jan\u00a0 7 00:13:30 littlesvr in.identd[7245]: reply to 24.165.1.229: 59167 , 21 : USERID : OTHER :0<\/pre>\n
As I was complaining about this in the #seneca IRC channel, I thought it would be worth while seing just how many of these strange lines are in the log. A quick ‘grep | wc -l’ gave me a staggering number, over 325k. Then I ran ‘ps aux’:<\/p>\n
root@littlesvr:\/etc\/rc.d# ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm\r\nSTAT\u00a0 EUID\u00a0 RUID TT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TPGID\u00a0 SESS\u00a0 PGRP\u00a0 PPID\u00a0\u00a0 PID %CPU COMMAND\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 1\u00a0 0.0 init\r\nSW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 2\u00a0 0.0 migration\/0\r\nRWN\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 3\u00a0 0.0 ksoftirqd\/0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 4\u00a0 0.0 events\/0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 5\u00a0 0.0 khelper\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0 0.0 kthread\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0\u00a0 40\u00a0 0.0 kblockd\/0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0\u00a0 41\u00a0 0.0 kacpid\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0\u00a0 95\u00a0 0.0 ata\/0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0\u00a0 96\u00a0 0.0 ata_aux\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0\u00a0 97\u00a0 0.0 ksuspend_usbd\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0 100\u00a0 0.0 khubd\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0 102\u00a0 0.0 kseriod\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0 124\u00a0 0.0 kswapd0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0 125\u00a0 0.0 aio\/0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0 783\u00a0 0.0 scsi_tgtd\/0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0 814\u00a0 0.0 kcryptd\/0\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0 836\u00a0 0.0 reiserfs\/0\r\nS<\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0 900\u00a0\u00a0 900\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0 900\u00a0 0.0 udevd\r\nSW<\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0 1853\u00a0 0.0 kpsmoused\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 1927\u00a0 1927\u00a0\u00a0\u00a0\u00a0 1\u00a0 1927\u00a0 0.0 klogd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2170\u00a0 2170\u00a0\u00a0\u00a0\u00a0 1\u00a0 2170\u00a0 0.0 rpc.portmap\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 99\u00a0\u00a0\u00a0 99 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2174\u00a0 2174\u00a0\u00a0\u00a0\u00a0 1\u00a0 2174\u00a0 0.0 rpc.statd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2195\u00a0 2195\u00a0\u00a0\u00a0\u00a0 1\u00a0 2195\u00a0 0.0 ntpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2200\u00a0 2200\u00a0\u00a0\u00a0\u00a0 1\u00a0 2200\u00a0 0.0 acpid\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 81\u00a0\u00a0\u00a0 81 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2208\u00a0 2208\u00a0\u00a0\u00a0\u00a0 1\u00a0 2208\u00a0 0.0 dbus-daemon\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 82\u00a0\u00a0\u00a0 82 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2213\u00a0 2213\u00a0\u00a0\u00a0\u00a0 1\u00a0 2213\u00a0 0.0 hald\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2213\u00a0 2213\u00a0 2213\u00a0 2214\u00a0 0.0 hald-runner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 82\u00a0\u00a0\u00a0 82 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2213\u00a0 2213\u00a0 2214\u00a0 2223\u00a0 0.0 hald-addon-acpi\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2229\u00a0 2229\u00a0\u00a0\u00a0\u00a0 1\u00a0 2230\u00a0 0.0 crond\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2232\u00a0 2232\u00a0\u00a0\u00a0\u00a0 1\u00a0 2232\u00a0 0.0 atd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2235\u00a0 2235\u00a0\u00a0\u00a0\u00a0 1\u00a0 2235\u00a0 0.0 saslauthd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2235\u00a0 2235\u00a0 2235\u00a0 2236\u00a0 0.0 saslauthd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2235\u00a0 2235\u00a0 2235\u00a0 2237\u00a0 0.0 saslauthd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2235\u00a0 2235\u00a0 2235\u00a0 2238\u00a0 0.0 saslauthd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2235\u00a0 2235\u00a0 2235\u00a0 2239\u00a0 0.0 saslauthd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2376\u00a0 2376\u00a0\u00a0\u00a0\u00a0 1\u00a0 2377\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2379\u00a0 2379\u00a0\u00a0\u00a0\u00a0 1\u00a0 2379\u00a0 0.0 svnserve\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0\u00a0\u00a0\u00a0 1\u00a0 2381\u00a0 0.0 mailmanctl\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 vc\/1\u00a0\u00a0\u00a0\u00a0\u00a0 2382\u00a0 2382\u00a0 2382\u00a0\u00a0\u00a0\u00a0 1\u00a0 2382\u00a0 0.0 agetty\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 vc\/3\u00a0\u00a0\u00a0\u00a0\u00a0 2384\u00a0 2384\u00a0 2384\u00a0\u00a0\u00a0\u00a0 1\u00a0 2384\u00a0 0.0 agetty\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 vc\/4\u00a0\u00a0\u00a0\u00a0\u00a0 2385\u00a0 2385\u00a0 2385\u00a0\u00a0\u00a0\u00a0 1\u00a0 2385\u00a0 0.0 agetty\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 vc\/5\u00a0\u00a0\u00a0\u00a0\u00a0 2386\u00a0 2386\u00a0 2386\u00a0\u00a0\u00a0\u00a0 1\u00a0 2386\u00a0 0.0 agetty\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 vc\/6\u00a0\u00a0\u00a0\u00a0\u00a0 2387\u00a0 2387\u00a0 2387\u00a0\u00a0\u00a0\u00a0 1\u00a0 2387\u00a0 0.0 agetty\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2398\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2399\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2400\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2401\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2402\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2403\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2404\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0 1003\u00a0 1003 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2381\u00a0 2381\u00a0 2381\u00a0 2405\u00a0 0.0 python\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 vc\/2\u00a0\u00a0\u00a0\u00a0\u00a0 2422\u00a0 2422\u00a0 2422\u00a0\u00a0\u00a0\u00a0 1\u00a0 2422\u00a0 0.0 agetty\r\nSW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6\u00a0 3220\u00a0 0.0 pdflush\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3339\u00a0 3339\u00a0\u00a0\u00a0\u00a0 1\u00a0 3339\u00a0 0.0 inetd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0\u00a0\u00a0\u00a0 1\u00a0 3508\u00a0 0.0 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 99\u00a0\u00a0\u00a0 99 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 7245\u00a0 7245\u00a0\u00a0\u00a0\u00a0 1\u00a0 7245\u00a0 0.0 in.identd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508\u00a0 7754\u00a0 0.1 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508\u00a0 7755\u00a0 0.0 httpd\r\nS\u00a0\u00a0\u00a0\u00a0 1000\u00a0 1000 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8112\u00a0 8112\u00a0 3339\u00a0 8112\u00a0 0.0 imapd\r\nS\u00a0\u00a0\u00a0\u00a0 1002\u00a0 1002 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8113\u00a0 8113\u00a0 3339\u00a0 8113\u00a0 0.0 imapd\r\nS\u00a0\u00a0\u00a0\u00a0 1004\u00a0 1004 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8114\u00a0 8114\u00a0 3339\u00a0 8114\u00a0 0.0 imapd\r\nS\u00a0\u00a0\u00a0\u00a0 1007\u00a0 1007 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8115\u00a0 8115\u00a0 3339\u00a0 8115\u00a0 0.0 imapd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8281\u00a0 8281 25049\u00a0 8281\u00a0 0.0 sshd\r\nS\u00a0\u00a0\u00a0\u00a0 1000\u00a0 1000 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8281\u00a0 8281\u00a0 8281\u00a0 8292\u00a0 0.0 sshd\r\nS\u00a0\u00a0\u00a0\u00a0 1000\u00a0 1000 pts\/2\u00a0\u00a0\u00a0 11949\u00a0 8293\u00a0 8293\u00a0 8292\u00a0 8293\u00a0 0.0 bash\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8760\u00a0 9062\u00a0\u00a0\u00a0\u00a0 1\u00a0 9063\u00a0 0.0 ddclient\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 8760\u00a0 9079\u00a0\u00a0\u00a0\u00a0 1\u00a0 9084\u00a0 0.0 pppoe-connect\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 9345\u00a0 9345\u00a0\u00a0\u00a0\u00a0 1\u00a0 9345\u00a0 0.0 sendmail\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 25\u00a0\u00a0\u00a0 25 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 9348\u00a0 9348\u00a0\u00a0\u00a0\u00a0 1\u00a0 9348\u00a0 0.0 sendmail\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 pts\/2\u00a0\u00a0\u00a0 11949\u00a0 8293 10005\u00a0 8293 10005\u00a0 0.0 bash\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 10377 10377 25049 10377\u00a0 0.0 sshd\r\nS\u00a0\u00a0\u00a0\u00a0 1000\u00a0 1000 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 10377 10377 10377 10383\u00a0 0.0 sshd\r\nS\u00a0\u00a0\u00a0\u00a0 1000\u00a0 1000 pts\/4\u00a0\u00a0\u00a0 10420 10384 10384 10383 10384\u00a0 0.0 bash\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 pts\/4\u00a0\u00a0\u00a0 10420 10384 10420 10384 10420\u00a0 0.0 bash\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 10598\u00a0 0.3 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 10599\u00a0 0.2 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 11510\u00a0 0.0 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 11511\u00a0 0.0 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 11512\u00a0 0.0 httpd\r\nR\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 pts\/2\u00a0\u00a0\u00a0 11949\u00a0 8293 11949 10005 11949\u00a0 0.0 ps\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 2379\u00a0 2379\u00a0 2379 15669\u00a0 0.0 svnserve\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 19216\u00a0 0.1 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 22340\u00a0 0.1 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25049 25049\u00a0\u00a0\u00a0\u00a0 1 25049\u00a0 0.0 sshd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25295 25295\u00a0\u00a0\u00a0\u00a0 1 25295\u00a0 0.0 syslogd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25345\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25349\u00a0 0.1 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25380\u00a0 0.5 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25383\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25385\u00a0 0.4 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25441\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25444\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25446\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25627\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25632\u00a0 0.4 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25732\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25740\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25741\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25836\u00a0 0.1 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25846\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25947\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25949\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 25950\u00a0 0.4 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26052\u00a0 0.1 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26054\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26157\u00a0 0.2 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26158\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26262\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26480\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26586\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26682\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26689\u00a0 0.1 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26793\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26795\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26796\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26894\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26900\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26901\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26902\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 26998\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 27003\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 27005\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 27007\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 27107\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 27118\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 27221\u00a0 0.3 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25316 25334\u00a0\u00a0\u00a0\u00a0 1 27222\u00a0 0.0 ftp_scanner\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 28433 28433\u00a0 9084 28433\u00a0 0.0 pppd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 99\u00a0\u00a0\u00a0 99 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 28433 28433 28433 28434\u00a0 6.5 pppoe\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80\u00a0\u00a0\u00a0 80 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0 3508\u00a0 3508\u00a0 3508 29836\u00a0 0.1 httpd\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25073 30993\u00a0\u00a0\u00a0\u00a0 1 31000\u00a0 0.0 mysqld_safe\r\nS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 27\u00a0\u00a0\u00a0 27 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1 25073 30993 31000 31033\u00a0 0.0 mysqld\r\nSW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 6 31163\u00a0 0.0 pdflush<\/pre>\n
Ayayay. I do not (for those of you who think too much) habitually run anything called ftp_scanner. I found in the ps man page an example to help me show the parent PIDs, and sure enough – all the ftp scanners had 1 (a.k.a. init) for the parent. Which means that the hacker had root access, and likely the box has been rooted.<\/p>\n
I’ve hesitated for 10 minutes. The ftp scanner had to stop, rootkit had to be removed, the hacker locked out. But littlesvr.ca is not a toy, half my life is on it – all my email, all my computer work (svn), revenue-generating pages such as ISO Master, and less popular pages that would lose the precious little search engine ranking they had if they went offline. But it had to be done. I braced myself for a 36 hour shift, and:<\/p>\n
root@littlesvr:~# halt<\/pre>\n
By this time my brain was overwhelmed. Too much excitement at once. The server had to be cleaned up and brought back to life in a hurry, but first I had to know how it got compromised to begin with – no point in resuscitating it only to have it hacked again two days later.<\/p>\n
But this is a long story, and I have yet to see the ending. This post will be the first of a short series, so come back later if you want to know more.<\/p>\n","protected":false},"excerpt":{"rendered":"
On thursday evening I had a couple of hours to spare, so I’ve SSHed to my server (yours truly littlesvr.ca) to get the Apache logs from the last couple of months. I do this now and then because I like seing the ammount of traffic going up every month. But this time it was not … <\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-andrew","4":"post-39","6":"format-standard","7":"category-opensource","8":"category-safeforseneca"},"_links":{"self":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/39","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/comments?post=39"}],"version-history":[{"count":13,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/39\/revisions"}],"predecessor-version":[{"id":51,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/39\/revisions\/51"}],"wp:attachment":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/media?parent=39"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/categories?post=39"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/tags?post=39"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}