OT. Have I been hacked? IRCD?
mark at onnow.net
mark at onnow.net
Tue Dec 14 00:02:45 UTC 2004
I found d0s3.txt in my /tmp dir.
Not sure how it got there. Found this too:
Here is the log file from error_log.1
--19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt
=> `d0s3.txt'
Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done.
Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,419 [text/plain]
0K .......... ......... 100% 74.68 KB/s
19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419]
Not quite sure how this happened
Mark
Quoting Alexander Dalloz <ad+lists at uni-x.org>:
> Am Di, den 14.12.2004 schrieb mark at onnow.net um 0:00:
>
> > When I run: lsof -i |grep perl
> > I get:
>
> > perl 4883 apache 124u IPv4 193039277 TCP
> > onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED)
>
> > perl 17513 apache 124u IPv4 65252685 TCP
> > oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED)
> >
> > So I have a connection to an irc daemon.
>
> You have two of them. Whether they are really irc connections can't be
> said from that. The "ircd" comes from /etc/services and so port 6667 is
> translated this way. But it is:
>
> Trying 12.5.48.98...
> Connected to ftp.pqa.com.
> Escape character is '^]'.
> :Metallica.USA.GigaChat.net NOTICE AUTH :*** Looking up your hostname...
> :Metallica.USA.GigaChat.net NOTICE AUTH :*** Found your hostname
> (cached)
>
> > I have grepped the web content directory for ircd and not found anything.
> > ps -ef |grep ircd gets nothing.
>
> I can imagine that this does not show something useful. I guess there
> are cgi::irc webchat interfaces running. So check the content of cgi-bin
> directories. These webchat things can consume large amounts of
> resources.
>
> > I also cant seem to locate a perl script that is causing this.
> > So can anyone offer some help here? How can I check this further. I want
> to
> > nail down the user ( web user I hope ) that is running this.
>
> So you have users allowed to run things on Apache?
>
> locate irc.cgi
>
> Maybe that shows you quickly the locations where the "bad" things are.
>
> > Mark
>
> Alexander
>
>
> --
> Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp
> Serendipity 00:46:57 up 3 days, 19:27, load average: 0.48, 0.59, 0.73
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the users
mailing list