Re: My sarge box has an IRC bot

To: debian-user@lists.debian.org
Subject: Re: My sarge box has an IRC bot
From: Ron Johnson <ron.l.johnson@cox.net>
Date: Wed, 10 Jan 2007 13:26:04 -0600
Message-id: <[🔎] 45A53DCC.9010005@cox.net>
In-reply-to: <[🔎] 45A52826.9050007@franoculator.com>
References: <[🔎] 45A52826.9050007@franoculator.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/10/07 11:53, Fran wrote:
> I've been told by my ISP that my sarge webserver (only port 80 open, all
>  software up to date) is spewing traffic they're calling IRC_nick, which
> is apparantly some sort of IRC bot.

"IRC_nick" is really ambiguous.  What port do they say it's coming from?

I'd also suggest you have a trustworthy friend do a thorough nmap of
your system.

> I'm unable to locate the file/files that are infected.  Additionally, I
> can't see the process/processes for the bot when it's running.
> 
> chkproc -v does reveal some hidden procs, but before I can kill them,
> they seem to go away.
> 
> chkrootkit/rkhunter don't seem to see anything either.
> 
> Any other suggestions?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFpT3MS9HxQb37XmcRAqAjAKDImKndXJu8AWKXd9zUM/lDVYIk9gCglMyk
vs1DSU50/AvTf8UI+jSRIRE=
=VBOu
-----END PGP SIGNATURE-----

Reply to:

References:
- My sarge box has an IRC bot
  - From: Fran <lists@franoculator.com>

Prev by Date: Re: Launch App without X-Windows
Next by Date: Re: [OFF-TOPIC] Mailing List Netiquette
Previous by thread: Re: My sarge box has an IRC bot
Next by thread: Re: My sarge box has an IRC bot
Index(es):
- Date
- Thread