OT. Have I been hacked? IRCD?

mark at onnow.net mark at onnow.net
Tue Dec 14 00:02:45 UTC 2004 

I found d0s3.txt in my /tmp dir.  

Not sure how it got there.  Found this too:

Here is the log file from error_log.1

--19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt
=> `d0s3.txt'
Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done.
Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,419 [text/plain]

0K .......... ......... 100% 74.68 KB/s

19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419]


Not quite sure how this happened

Mark

Quoting Alexander Dalloz <ad+lists at uni-x.org>:

> Am Di, den 14.12.2004 schrieb mark at onnow.net um 0:00:
> 
> > When I run: lsof -i |grep perl
> > I get:
> 
> > perl       4883  apache  124u  IPv4 193039277       TCP
> > onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED)
> 
> > perl      17513  apache  124u  IPv4  65252685       TCP
> > oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED)
> > 
> > So I have a connection to an irc daemon.  
> 
> You have two of them. Whether they are really irc connections can't be
> said from that. The "ircd" comes from /etc/services and so port 6667 is
> translated this way. But it is:
> 
> Trying 12.5.48.98...
> Connected to ftp.pqa.com.
> Escape character is '^]'.
> :Metallica.USA.GigaChat.net NOTICE AUTH :*** Looking up your hostname...
> :Metallica.USA.GigaChat.net NOTICE AUTH :*** Found your hostname
> (cached)
> 
> > I have grepped the web content directory for ircd and not found anything.
> > ps -ef |grep ircd gets nothing.
> 
> I can imagine that this does not show something useful. I guess there
> are cgi::irc webchat interfaces running. So check the content of cgi-bin
> directories. These webchat things can consume large amounts of
> resources.
> 
> > I also cant seem to locate a perl script that is causing this.
> > So can anyone offer some help here?  How can I check this further.  I want
> to
> > nail down the user ( web user I hope ) that is running this.
> 
> So you have users allowed to run things on Apache?
> 
> locate irc.cgi
> 
> Maybe that shows you quickly the locations where the "bad" things are.
> 
> > Mark
> 
> Alexander
> 
> 
> -- 
> Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
> Serendipity 00:46:57 up 3 days, 19:27, load average: 0.48, 0.59, 0.73 
> 




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the users mailing list