[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My sarge box has an IRC bot

Kevin Mark <kevin.mark@verizon.net> wrote:
> On Wed, Jan 10, 2007 at 10:01:46AM -0800, Andrew Sackville-West wrote:
> > On Wed, Jan 10, 2007 at 11:53:42AM -0600, Fran wrote:
> > > I've been told by my ISP that my sarge webserver (only port 80 open, all
> > >  software up to date) is spewing traffic they're calling IRC_nick, which
> > > is apparantly some sort of IRC bot.
> > > 
> > > I'm unable to locate the file/files that are infected.  Additionally, I
> > > can't see the process/processes for the bot when it's running.
> > > 
> > > chkproc -v does reveal some hidden procs, but before I can kill them,
> > > they seem to go away.
> > > 
> > > chkrootkit/rkhunter don't seem to see anything either.
> > > 
> > > Any other suggestions?

	Another thing to consider: it's possible your box hasn't been hacked
to the point of a shell. Do you have mod_proxy enabled in your apache
config? Somebody could be bouncing their bot off of that. I'd still reformat
etc just to be sure but it's worth looking into anyways.

	Also, you have to consider how they got in, if port 80 is the only
port that's open... I'd do a serious security audit of any dynamic (PHP etc)
content you serve from there.

		- Tyler
Reply to: