OT. Have I been hacked? IRCD?

mark mark at onnow.net
Tue Dec 14 05:43:29 UTC 2004 

I am just trying to figure out if I have to re-install.  It look like 
it.  Vulnerability in PHP or PHPBB I think.


I found the perl script in /tmp

Or maybe secure /tmp and take the below steps.

Thoughts on this all?

Mark

On Dec 13, 2004, at 5:02 PM, mark at onnow.net wrote:

> I found d0s3.txt in my /tmp dir.
>
> Not sure how it got there.  Found this too:
>
> Here is the log file from error_log.1
>
> --19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt
> => `d0s3.txt'
> Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done.
> Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 20,419 [text/plain]
>
> 0K .......... ......... 100% 74.68 KB/s
>
> 19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419]
>
>
> Not quite sure how this happened
>
> Mark
>
> Quoting Alexander Dalloz <ad+lists at uni-x.org>:
>
>> Am Di, den 14.12.2004 schrieb mark at onnow.net um 0:00:
>>
>>> When I run: lsof -i |grep perl
>>> I get:
>>
>>> perl       4883  apache  124u  IPv4 193039277       TCP
>>> onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED)
>>
>>> perl      17513  apache  124u  IPv4  65252685       TCP
>>> oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED)
>>>
>>> So I have a connection to an irc daemon.
>>
>> You have two of them. Whether they are really irc connections can't be
>> said from that. The "ircd" comes from /etc/services and so port 6667 
>> is
>> translated this way. But it is:
>>
>> Trying 12.5.48.98...
>> Connected to ftp.pqa.com.
>> Escape character is '^]'.
>> :Metallica.USA.GigaChat.net NOTICE AUTH :*** Looking up your 
>> hostname...
>> :Metallica.USA.GigaChat.net NOTICE AUTH :*** Found your hostname
>> (cached)
>>
>>> I have grepped the web content directory for ircd and not found 
>>> anything.
>>> ps -ef |grep ircd gets nothing.
>>
>> I can imagine that this does not show something useful. I guess there
>> are cgi::irc webchat interfaces running. So check the content of 
>> cgi-bin
>> directories. These webchat things can consume large amounts of
>> resources.
>>
>>> I also cant seem to locate a perl script that is causing this.
>>> So can anyone offer some help here?  How can I check this further.  
>>> I want
>> to
>>> nail down the user ( web user I hope ) that is running this.
>>
>> So you have users allowed to run things on Apache?
>>
>> locate irc.cgi
>>
>> Maybe that shows you quickly the locations where the "bad" things are.
>>
>>> Mark
>>
>> Alexander
>>
>>
>> -- 
>> Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
>> legal statement: http://www.uni-x.org/legal.html
>> Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp
>> Serendipity 00:46:57 up 3 days, 19:27, load average: 0.48, 0.59, 0.73
>>
>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

More information about the fedora-list mailing list