Date: Mon, 23 Nov 2009 11:46:06 -0500 From: "Darrell D. Mobley" <dmobley (at mark) uhostme.com> Subject: [coba-e:16166] Re: Confused about password change... To: <coba-e (at mark) bluequartz.org> Message-Id: <002101ca6c5c$74a6cd00$5df46700$@com> In-Reply-To: <13ff4d414bb508232cea33bbe1891416 (at mark) goulburn.net.au> References: <00b901ca6c13$0fa28cd0$2ee7a670$ (at mark) com> <13ff4d414bb508232cea33bbe1891416 (at mark) goulburn.net.au> X-Mail-Count: 16166I checked using "find" and there is no evidence of a rootkit or changed files in /usr/bin or anywhere else for that matter. Why would the system do segmentation fault errors for only one site on the server? From: David Booth [mailto:md (at mark) goulburn.net.au] Sent: Monday, November 23, 2009 5:35 AM To: coba-e (at mark) bluequartz.org Subject: [coba-e:16165] Re: Confused about password change... On 23/11/2009, at 7:00 PM, Darrell D. Mobley wrote: Tonight, I had a drive-by hacking on BQ machine, and after closing the hole I went to update my passwords. On one particular site that runs Joomla and vBulletin, when I went to change the MySQL user password (they share the same user over several databases), Apache started spewing segmentation fault errors: [Mon Nov 23 02:46:51 2009] [notice] child pid 16419 exit signal Segmentation fault (11) The minute I changed the password back, they quit. Even restarting Apache wouldn't fix the problem. Have you ever seen this before and what is causing this? The only time I saw Segmentation fault was after a rootkit attack. Disastrous! ls -l /usr/bin Look for funny ownerships - other than root - this could be nasty.16166_2.html (attatchment)(tag is disabled)