Unix help plz

[prog]

Goatfuckers have compromised jmac.org somehow, and I can't do much about it because houseguests. Am trying to hold server together until I can block out six contiguous hours to rebuild everything.

Tell me why this happens, o sages of the internet:

top tells me that I have a perl process that is taking up 98% of CPU. But when I ps that PID, I am told that it's httpd. Er.

What's the correct way to find out what exactly is being perl'd? (I kill -9'd all those processes for now, but trust they'll be running again presently, because they've been doing that.)

Comments

[jtroutman.livejournal.com]

the ps binary may be trojaned. Or they could have installed a kernel module that hides processes.

chkrootkit.org is your friend, but that is not fool proof.

You really outta run "denyhosts" as well. But likely, I bet they got on via exploting your webserver in some fashion, instead of ssh brute force.