OT. Have I been hacked? IRCD?

Alexander Dalloz ad+lists at uni-x.org
Mon Dec 13 23:54:08 UTC 2004 

Am Di, den 14.12.2004 schrieb mark at onnow.net um 0:00:

> When I run: lsof -i |grep perl
> I get:

> perl       4883  apache  124u  IPv4 193039277       TCP
> onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED)

> perl      17513  apache  124u  IPv4  65252685       TCP
> oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED)
> 
> So I have a connection to an irc daemon.  

You have two of them. Whether they are really irc connections can't be
said from that. The "ircd" comes from /etc/services and so port 6667 is
translated this way. But it is:

Trying 12.5.48.98...
Connected to ftp.pqa.com.
Escape character is '^]'.
:Metallica.USA.GigaChat.net NOTICE AUTH :*** Looking up your hostname...
:Metallica.USA.GigaChat.net NOTICE AUTH :*** Found your hostname
(cached)

> I have grepped the web content directory for ircd and not found anything.
> ps -ef |grep ircd gets nothing.

I can imagine that this does not show something useful. I guess there
are cgi::irc webchat interfaces running. So check the content of cgi-bin
directories. These webchat things can consume large amounts of
resources.

> I also cant seem to locate a perl script that is causing this.
> So can anyone offer some help here?  How can I check this further.  I want to
> nail down the user ( web user I hope ) that is running this.

So you have users allowed to run things on Apache?

locate irc.cgi

Maybe that shows you quickly the locations where the "bad" things are.

> Mark

Alexander


-- 
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
Serendipity 00:46:57 up 3 days, 19:27, load average: 0.48, 0.59, 0.73 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041214/74dcfc0a/attachment-0001.sig>

More information about the fedora-list mailing list