Hi there,
Just recently a very disgruntled forum user of one of the charity organisations I'm involved with launched an all out attack on our server, this matter is now being dealt with by the police but today on a different forum, I had a member asking if anything had changed as the forum was acting weird.. Anyway to get to the point I've been looking at logs etc, can't see anything new in the logs whihc point to an attack but I noticed one particular
Java process was taking quite a bit of CPU time, when I looked what the process was I saw this:
www-data 4488 8.8 0.7 470844 60480 ? Sl 11:56 6:05 /var/tmp/.tmp/java/jdk1.5.0_13/bin/java -Dlog4j.configuration=file:conf/log4j-default.properties -Xms3m -Xmx128m -Djava.library.path=lib -classpath lib/wrapper.jar:lib/log4j-1.2.8.jar:lib/slave.jar:lib/oro.jar -Dwrapper.key=_Kfnq7zqj5s4Sc6A -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.disable_console_input=TRUE -Dwrapper.pid=6521 -Dwrapper.version=3.4.1 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.disable_shutdown_hook=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=20 org.tanukisoftware.wrapper.WrapperSimpleApp org.drftpd.slave.Slave
I can't recall every seeing that before so I'm trying to determine whether the people who attacked before are still at it and if this is some backdoor process they've launched..
If anyone can give me any information on that java lib I'd really appreciate it, must admit although I am very confortable around linux & programming, being the victim of an attack has left me feeling somewhat ignorant in the security field.
Thanks