Security Breach ?
Aleksandar Milivojevic
amilivojevic at pbl.ca
Thu Mar 3 19:57:23 UTC 2005
Chris Strzelczyk wrote:
> Hello,
>
> Upon checking my MRTG stats on a webserver I am running I found my
> traffic to be up considerably and the server
> to be a bit slow. After taking a look at my active connections to
> processes with netstat -nap I found these to be scary:
>
> tcp 0 0 204.11.33.35:37326 161.53.2.81:6667
> ESTABLISHED 16035/-bash
Login shell connected to IRC server? Not likely. Are users allowed to
login to this machine? If they are, it might be some regular user who
installed eggdrop or some similar IRC bot, and named it "-bash" in an
naive attempt to hide it.
To find out who is running it, try out:
ps -ef | grep 16035
Or to see what files the process currently keeps open (might help to
find where the binary is located):
lsof -p 16035
Try to nail down the user who is running it, and contact him to confirm
that he did that. If you can't confirm, or user is unaware that IRC bot
is running under his account, chances are somebody broke into the machine.
If users are not allowed to have shell accounts on the machine, most
likely somebody broke to your machine and installed IRC bot waiting for
remote commands from some IRC channel.
As for rootkit checking tools, they are not always efficient in
detecting root kits. Especially when kernel modules are used to hide
them. In that case, you might need to boot from Rescue CD to really see
what you have on the disk... Althoug, if you are able to see that
"-bash" process with netstat, most likely there's no kernel module
installed (on the other hand, it might be lousy written module that
doesn't manage to hide everything).
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list