Hacked! How to fix it?
5759 root -8 0 1444K 992K biord 0:03 6.20% 5.32% find
root 5759 6.4 0.4 1356 904 ?? D 3:01AM 0:01.88 find /usr -xdev
When I do w
there is no root as login
When I do netstat, I think it is too late to catch the transaction. Is it a hole in Apache or script to let somebody to do "find /usr -xdev" as root? Both Apache and Perl run in username WWW, not root. How could that happen?
