Re: My sarge box has an IRC bot

To: debian-user@lists.debian.org
Subject: Re: My sarge box has an IRC bot
From: Sarunas Burdulis <sarunas@math.dartmouth.edu>
Date: Thu, 11 Jan 2007 08:42:37 -0500
Message-id: <[🔎] 45A63ECD.4080201@math.dartmouth.edu>
In-reply-to: <[🔎] 45A52826.9050007@franoculator.com>
References: <[🔎] 45A52826.9050007@franoculator.com>

Fran wrote:
> I've been told by my ISP that my sarge webserver (only port 80 open, all
>  software up to date) is spewing traffic they're calling IRC_nick, which
> is apparantly some sort of IRC bot.
> 
> I'm unable to locate the file/files that are infected.  Additionally, I
> can't see the process/processes for the bot when it's running.
> 
> chkproc -v does reveal some hidden procs, but before I can kill them,
> they seem to go away.
> 
> chkrootkit/rkhunter don't seem to see anything either.
> 
> Any other suggestions?
> 
Use tcpdump and/or ethereal to check traffic.

Check apache logs. You may see some STDOUT from wget there, if they
broke in using a vulnerability in some web app.

Watch lsof or netstat for ESTABLISHED connections. Use 1s watch frequency.

Use top/htop with high refresh frequency. Note unusual short lived
processes. Try locating their binaries or scripts. /tmp most likely.

HTH,
?aru-nas

Reply to:

References:
- My sarge box has an IRC bot
  - From: Fran <lists@franoculator.com>

Prev by Date: Re: Iceweasel download manager problem
Next by Date: modprobe
Previous by thread: Re: My sarge box has an IRC bot
Next by thread: Re: My sarge box has an IRC bot
Index(es):
- Date
- Thread