Re: My sarge box has an IRC bot

From: Greg Folkert <greg@xxxxxxxxxxxxxxx>
Date: Thu, 11 Jan 2007 13:38:09 -0500

On Wed, 2007-01-10 at 11:53 -0600, Fran wrote:

I've been told by my ISP that my sarge webserver (only port 80 open, all
software up to date) is spewing traffic they're calling IRC_nick, which
is apparantly some sort of IRC bot.

I'm unable to locate the file/files that are infected. Additionally, I
can't see the process/processes for the bot when it's running.

chkproc -v does reveal some hidden procs, but before I can kill them,
they seem to go away.

chkrootkit/rkhunter don't seem to see anything either.

Any other suggestions?

Just my $0.02 worth here.

At one time I had an IRC-Bot on my machine. It was put in /dev/shm/ I
fixed the access issue (it was writable by anyone)

then another one in /tmp/apache-chroot I used for uploads. I turned off
execute for /tmp (made it its own Filesystem for that)

Turned out to be a Perl script in Twiki doing the exploit and running
it.

The thing is, if you only allow the outside WORLD to contact via known
ports they won't work. Unless you have an open apache webserver proxy,
which can redirect to the bot and make it still work.

Here read this:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#examples

and just below it:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#access

More than likely though, you have a "look-alike" process running as
www-data.

Which means it can only have limited effects but on your web-apps.
--
greg, greg@xxxxxxxxxxxxxxx

The technology that is
Stronger, better, faster: Linux

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: My sarge box has an IRC bot
  - From: Roberto C. Sanchez

References:
- My sarge box has an IRC bot
  - From: Fran

Prev by Date: ntfs with encrypted files
Next by Date: Re: resources to resolve dependency problems
Previous by thread: Re: My sarge box has an IRC bot
Next by thread: Re: My sarge box has an IRC bot
Index(es):
- Date
- Thread

Relevant Pages

Re: My sarge box has an IRC bot
... is apparantly some sort of IRC bot. ... can't see the process/processes for the bot when it's running. ... Also, you have to consider how they got in, if port 80 is the only ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
(Debian-User)
Re: Hack attempt
... Looks like an irc bot. ... Check the bot configs to see what channel it is on. ...
(Focus-Linux)
Re: PHP IRC Bot?
... Does anyone know which is the best IRC bot written in PHP? ... You need to make sure you keep letting the server know that the bot is ... I do it by sending a ping, or responding to a ping, depending on ...
(comp.lang.php)