Re: My sarge box has an IRC bot
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Jan 10, 2007 at 10:01:46AM -0800, Andrew Sackville-West wrote:
> On Wed, Jan 10, 2007 at 11:53:42AM -0600, Fran wrote:
> > I've been told by my ISP that my sarge webserver (only port 80 open, all
> > software up to date) is spewing traffic they're calling IRC_nick, which
> > is apparantly some sort of IRC bot.
> >
> > I'm unable to locate the file/files that are infected. Additionally, I
> > can't see the process/processes for the bot when it's running.
> >
> > chkproc -v does reveal some hidden procs, but before I can kill them,
> > they seem to go away.
> >
> > chkrootkit/rkhunter don't seem to see anything either.
> >
> > Any other suggestions?
>
> if you rooted, take the box down, take it off the net, reboot with a
> live-cd and run chkrootkit from there. Probably though, you're stuck
> rebuilding the box from scratch -- as in nuke it from orbit.
>
> A
Also,
root kits usually replace top, ps, ls and other things to make it harder
to find them. Maybe find a recent copy of these and reinstall these by hand to
see if that shows anything. You can also install a firewall if you dont
have one like shorewall and maybe get something to log your web traffic.
Cheers,
Kev
- --
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal | 'under construction' |
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keysever: subkeys.pgp.net | my NPO: cfsg.org |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFpTowv8UcC1qRZVMRAnNqAJwNjpVhe8Tn7L8zT+cxhJBHgNGTJQCfSP68
hz32ONB8J5raj68zpIHpbmA=
=Z5zl
-----END PGP SIGNATURE-----
Reply to: