Help.hacking?

a large size of unknown traffic come from my machine udp port 32679
i found it is relate to my apache server because when i stop apache then
the traffic stop
and i found that a program /tmp/stealth is running own by apache user.
i tried to delete it and updated the apache and glibc but after i
started apache for a period of time.it happen again.is that got hacked?
any professional can help me.
thank you very much

i am using redhat 7.3

happy wrote:

> a large size of unknown traffic come from my machine udp port 32679
> i found it is relate to my apache server because when i stop apache then
> the traffic stop
> and i found that a program /tmp/stealth is running own by apache user.
> i tried to delete it and updated the apache and glibc but after i
> started apache for a period of time.it happen again.is that got hacked?
> any professional can help me.
> thank you very much

On Thu, 15 Apr 2004 02:49:40 +0800, the lifeform known as happy
<(E-Mail Removed)> wrote:

>a large size of unknown traffic come from my machine udp port 32679
>i found it is relate to my apache server because when i stop apache then
>the traffic stop
>and i found that a program /tmp/stealth is running own by apache user.
>i tried to delete it and updated the apache and glibc but after i
>started apache for a period of time.it happen again.is that got hacked?
>any professional can help me.
>thank you very much

It sure sounds like it to me.
I suggest you check your system with one of the rootkit detection
scripts that are out there.
For example: http://www.rootkit.nl/


--
Niels.

Drs. ir. Niels Basjes - http://niels.basjes.nl/ - VCV 20000302
mailto:`echo 'Niels Basjes'|awk '{print$1"@"$2".nl"}'`
Hacker: One who enjoys the intellectual challenge of
creatively overcoming or circumventing limitations.

On Thu, 15 Apr 2004 02:49:40 +0800, happy wrote:

> a large size of unknown traffic come from my machine udp port 32679
> i found it is relate to my apache server because when i stop apache then
> the traffic stop
> and i found that a program /tmp/stealth is running own by apache user.
> i tried to delete it and updated the apache and glibc but after i
> started apache for a period of time.it happen again.is that got hacked?
> any professional can help me.
> thank you very much

possibly it is some ddos program and somebody is using your computer to
attack others. You could (as Niels said) search for rootkits, and try to
remove them, but there could be something else that those tools wouldn't
detect. Also since somebody hacked to your computer probably can do it
again.

So my recommendation is to reinstall whole system, and patch it before
connecting to network. You should also keep current with updates.
No system is secure when admin isn't taking care of it, especially redhat,
which installs by default a lot of services that you don't really need
(more services = more ways to hack into your computer).
As a matter of a fact, I would recommend after installation to turn off
everything that you don't need or don't even use.

And again, keep your system current, patch ASAP as some security hole is
found.
--
(E-Mail Removed)t, ICQ# 15827691, GG# 113344, TLEN: taked4
EMAIL: (E-Mail Removed)
(remove CAPITAL letters from email if you want to contact me)
*http://eggdrop.takeda.tk - eggdrop & mods help*