On Wed, 2007-01-10 at 11:53 -0600, Fran wrote:
> I've been told by my ISP that my sarge webserver (only port 80 open, all
> software up to date) is spewing traffic they're calling IRC_nick, which
> is apparantly some sort of IRC bot.
>
> I'm unable to locate the file/files that are infected. Additionally, I
> can't see the process/processes for the bot when it's running.
>
> chkproc -v does reveal some hidden procs, but before I can kill them,
> they seem to go away.
>
> chkrootkit/rkhunter don't seem to see anything either.
>
> Any other suggestions?
Just my $0.02 worth here.
At one time I had an IRC-Bot on my machine. It was put in /dev/shm/ I
fixed the access issue (it was writable by anyone)
then another one in /tmp/apache-chroot I used for uploads. I turned off
execute for /tmp (made it its own Filesystem for that)
Turned out to be a Perl script in Twiki doing the exploit and running
it.
The thing is, if you only allow the outside WORLD to contact via known
ports they won't work. Unless you have an open apache webserver proxy,
which can redirect to the bot and make it still work.
Here read this:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#examples
and just below it:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#access
More than likely though, you have a "look-alike" process running as
www-data.
Which means it can only have limited effects but on your web-apps.
--
greg, greg@gregfolkert.net
The technology that is
Stronger, better, faster: Linux
Attachment:
signature.asc
Description: This is a digitally signed message part