LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   How can i kill IRCD? (http://www.linuxquestions.org/questions/linux-general-1/how-can-i-kill-ircd-513475/)

punjabipredator 12-24-2006 08:52 PM

How can i kill IRCD?
 
I have people running IRC on my server how can i kill that connection and also make sure they never come back. Please let me know ASAP. Thank You.

runnerfrog 12-24-2006 09:43 PM

Many systems start it from the ../init.d/ircd file; _may be_ in others can it be found at the inet.d too, or xinet.d The whole thing is just disable the service from there. If you have webmin to work, it's the same, disable from System/start-stop (i'm translating the menus). (And Happy Holidays!).

EDIT: Sorry, if you don't need the service, uninstall the package, and they will never come back for sure too, unless you want to serve to one network and not other, which implies firewalling.

punjabipredator 12-24-2006 10:07 PM

I have no idea what you said. I am new to linux still and don't know much i have installed firewall softwares such as APF, BDF but they are not doing anything and i have had 2 servers that have been taken over by irc and i need a way in which i can kill them off and also ban any irc on my servers.

Matir 12-24-2006 10:39 PM

If you have users who are problematic, why don't you just disable their accounts?

runnerfrog 12-24-2006 11:02 PM

Three options: 1) Matir's one, disable problematic accounts; 2) uninstalling irc package, bye, bye... but: W.C.S., or almost worst case scenario, _may be_ your users have gain privileges to start an irc service, so: 3) "killall ircd" will disable any service with that name for the moment, and... so much to do, anybody want to help in a list to do here? I'm sorry to say this, but more than help you need to learn about networks and security (mostly accounts privileges and permissions, firewalling, and IDS); it is very strange that you are a newbie and network administrator at the very same time, isn't?. Start telling what's your server's distro, please, and as root do "ps aux" and post the output.

EDIT: corrected "ps aux", instead of ps ax.

punjabipredator 12-25-2006 02:05 AM

IRC Problem
 
I don't have any user accounts this is a new server that was built a few hours ago. I am not a server admin and never said i was. I asked my tech support and they told me i had IRC running and i checked and found out i was i slowly killed off most of them but i want to make sure they never come back and basically ban all IRC from my server. I know how to install scripts/programs and configure them so if you guys know any good tool please let me know so i can use it. I am using Redhat Linux ES 4(32 bit)

root@cpanel [~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 3076 552 ? S Dec24 0:04 init [3]
root 2 0.0 0.0 0 0 ? S Dec24 0:00 [migration/0]
root 3 0.0 0.0 0 0 ? SN Dec24 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S Dec24 0:00 [migration/1]
root 5 0.0 0.0 0 0 ? SN Dec24 0:00 [ksoftirqd/1]
root 6 0.0 0.0 0 0 ? S< Dec24 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S< Dec24 0:00 [events/1]
root 8 0.0 0.0 0 0 ? S< Dec24 0:00 [khelper]
root 9 0.0 0.0 0 0 ? S< Dec24 0:00 [kacpid]
root 52 0.0 0.0 0 0 ? S< Dec24 0:00 [kblockd/0]
root 53 0.0 0.0 0 0 ? S< Dec24 0:00 [kblockd/1]
root 54 0.0 0.0 0 0 ? S Dec24 0:00 [khubd]
root 71 0.0 0.0 0 0 ? S Dec24 0:00 [pdflush]
root 72 0.0 0.0 0 0 ? S Dec24 0:00 [pdflush]
root 73 0.0 0.0 0 0 ? S Dec24 0:00 [kswapd0]
root 74 0.0 0.0 0 0 ? S< Dec24 0:00 [aio/0]
root 75 0.0 0.0 0 0 ? S< Dec24 0:00 [aio/1]
root 219 0.0 0.0 0 0 ? S Dec24 0:00 [kseriod]
root 332 0.0 0.0 0 0 ? S< Dec24 0:00 [ata/0]
root 333 0.0 0.0 0 0 ? S< Dec24 0:00 [ata/1]
root 337 0.0 0.0 0 0 ? S Dec24 0:00 [scsi_eh_0]
root 338 0.0 0.0 0 0 ? S Dec24 0:00 [scsi_eh_1]
root 359 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald]
root 1355 0.0 0.0 2328 468 ? S<s Dec24 0:00 udevd
root 1407 0.0 0.0 0 0 ? S Dec24 0:00 [shpchpd_event]
root 1647 0.0 0.0 0 0 ? S< Dec24 0:00 [kauditd]
root 1859 0.0 0.0 0 0 ? S Dec24 0:00 [scsi_eh_2]
root 1860 0.0 0.0 0 0 ? S Dec24 0:00 [usb-storage]
root 1940 0.0 0.0 0 0 ? S< Dec24 0:00 [kmirrord]
root 1962 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald]
root 1963 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald]
root 1964 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald]
root 1965 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald]
root 1966 0.0 0.0 0 0 ? S Dec24 0:02 [kjournald]
root 3700 0.0 0.0 3108 548 ? Ss Dec24 0:00 syslogd -m 0
root 3704 0.0 0.0 2400 380 ? Ss Dec24 0:00 klogd -x
root 3714 0.0 0.0 2152 296 ? Ss Dec24 0:00 irqbalance
root 3826 0.0 0.0 4876 340 ? Ss Dec24 0:00 rpc.idmapd
root 3899 0.0 0.0 2476 508 ? S Dec24 0:00 /usr/sbin/smartd
root 3908 0.0 0.0 2604 436 ? Ss Dec24 0:00 /usr/sbin/acpid
root 3918 0.0 0.4 12556 4172 ? S Dec24 0:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a
root 3956 0.0 0.1 4960 1136 ? Ss Dec24 0:00 /usr/sbin/sshd
root 3969 0.0 0.0 3296 756 ? Ss Dec24 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
ntp 3981 0.0 0.5 5668 5668 ? SLs Dec24 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 3999 0.0 0.7 13220 8004 ? S Dec24 0:00 chkservd
mailnull 4075 0.0 0.0 8016 856 ? Ss Dec24 0:00 /usr/sbin/exim -bd -q1h
mailnull 4082 0.0 0.0 8808 832 ? Ss Dec24 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
root 4092 0.0 0.0 3232 1016 ? S Dec24 0:00 antirelayd
root 4130 0.0 2.2 25676 23596 ? Ss Dec24 0:00 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/sp
root 4151 0.0 2.1 25676 22208 ? S Dec24 0:00 spamd child
root 4153 0.0 2.1 25676 22128 ? S Dec24 0:00 spamd child
root 4161 0.0 0.0 4804 932 ? Ss Dec24 0:00 crond
root 5175 0.0 0.4 7196 4740 ? S Dec24 0:00 cpbandwd
root 5176 0.0 0.6 10960 6944 ? SN Dec24 0:00 cpanellogd - sleeping for logs
nobody 5190 0.0 0.1 3964 1652 ? S Dec24 0:00 entropychat
mailman 5206 0.0 0.4 12104 4912 ? Ss Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
dbus 5213 0.0 0.0 3128 816 ? Ss Dec24 0:00 dbus-daemon-1 --system
root 5223 0.0 0.0 4228 296 ? Ss Dec24 0:00 rhnsd --interval 240
mailman 5232 0.0 0.6 11628 6704 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
mailman 5233 0.0 0.6 11736 6716 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
mailman 5234 0.0 0.6 10356 6712 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
mailman 5235 0.0 0.6 10856 6704 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
mailman 5236 0.0 0.6 12060 6728 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
mailman 5237 0.0 0.6 10140 6772 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
mailman 5238 0.0 0.6 10588 6696 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
mailman 5239 0.0 0.6 11292 6700 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin
root 5240 0.0 0.6 9988 7076 ? Ss Dec24 0:07 hald
root 5252 0.0 0.8 17344 8364 ? S Dec24 0:00 cpsrvd - waiting for connections
root 5266 0.0 0.0 1480 392 ? Ss Dec24 0:00 /usr/sbin/portsentry -tcp
root 5314 0.0 0.1 5920 1236 ? S Dec24 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-fil
mysql 5358 0.0 1.3 105984 14396 ? Sl Dec24 0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=my
root 5474 0.0 0.0 3180 412 tty1 Ss+ Dec24 0:00 /sbin/mingetty tty1
root 5475 0.0 0.0 1476 412 tty2 Ss+ Dec24 0:00 /sbin/mingetty tty2
root 5476 0.0 0.0 1820 412 tty3 Ss+ Dec24 0:00 /sbin/mingetty tty3
root 5480 0.0 0.0 1908 412 tty4 Ss+ Dec24 0:00 /sbin/mingetty tty4
root 5481 0.0 0.0 3172 412 tty5 Ss+ Dec24 0:00 /sbin/mingetty tty5
root 5483 0.0 0.0 3044 412 tty6 Ss+ Dec24 0:00 /sbin/mingetty tty6
root 5485 0.0 0.0 2592 428 ttyS1 Ss+ Dec24 0:00 /sbin/agetty -h -L ttyS1 19200 vt100
root 8076 0.0 0.4 10264 4620 ? Ss Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8082 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8083 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8084 0.0 0.3 10268 3896 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8085 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8086 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8115 0.0 0.3 10268 3904 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
named 8221 0.0 0.4 49764 4268 ? Ssl Dec24 0:00 /usr/sbin/named -u named
root 8295 0.0 0.1 7280 1144 ? Ss Dec24 0:00 pure-ftpd (SERVER)
root 8298 0.0 0.0 7168 684 ? S Dec24 0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureaut
root 8520 0.0 0.0 1748 212 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=im
root 8521 0.0 0.0 2440 480 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=
root 8527 0.0 0.0 3492 208 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/imapd-ssl.pid -start -nam
root 8528 0.0 0.0 2516 476 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=
root 8533 0.0 0.0 1716 212 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=po
root 8534 0.0 0.0 3284 480 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=
root 8539 0.0 0.0 3380 212 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/pop3d-ssl.pid -start -nam
root 8540 0.0 0.0 3480 480 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=
root 8545 0.0 0.0 2372 292 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -facilit
root 8546 0.0 0.0 3084 608 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond
root 8547 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond
root 8548 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond
root 8549 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond
root 8550 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond
root 8551 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond
nobody 8630 0.0 0.3 10268 3916 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8631 0.0 0.3 10268 3904 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 8632 0.0 0.3 10268 3904 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL
root 24874 0.0 0.2 7532 2316 ? Ss 01:01 0:00 sshd: root@pts/0
root 24876 0.0 0.1 5652 1384 pts/0 Ss 01:01 0:00 -bash
root 24917 0.0 0.0 3012 788 pts/0 R+ 01:02 0:00 ps aux

introuble 12-25-2006 02:17 AM

Eh.. actually. Who says his users don't grab some IRCD source, build it, don't install it and run it. Who says the executable name is "ircd" or anything remotely similar? Who says they're using the standard ports?

BUT. I'm looking at the topic of the thread and then at the OP's posts. I'm thinking that he means people are running IRC clients rather than IRC servers?

Also.. I'm not sure but MAYBE these users rooted his box:

Quote:

make sure they never come back
(who's "they");

Quote:

i have had 2 servers that have been taken over by irc
Perhaps he's talking about the attackers installing psyBNC on his compromised hosts [a common thing for script kiddies to do].

So, mr punjabipredator: have you been hacked?

Quote:

it is very strange that you are a newbie and network administrator at the very same time, isn't?
Strange would be something that doesn't happen very often. I don't think that's the case. I believe the above situation is fairly common. Stupid? You bet.

--

So anyway. Show the following (type those commands and copy+paste the result:)

Code:

ps aux
Code:

netstat -tunap
--
EDIT: posted after/during previous OP post in which ps aux is given.

introuble 12-25-2006 02:25 AM

Dude.. IRC is a protocol. Were people running clients or servers from your server?

Quote:

I am not a server admin and never said i was.
From the original post:

Quote:

I have people running IRC on my server
And you also state things about YOU installing various stuff on this(these) server(s), setting up a firewall etc. Yet you're not a server admin? ..

Anyway. From your `ps aux` output I can't see anything. Is "IRC" still being run from your servers?

runnerfrog 12-25-2006 03:02 AM

Quote:

Originally posted by introuble:
From your `ps aux` output I can't see anything.
Hi, introuble. May be you missed "entropychat", started by user "nobody", with PID 5190; unless it's harmless, because I never knew of it... don't know what it is , besides a javascript based irc server, may be it cames from the webserver, that's possibly why the nobody user started it, or may be was started by a script, or an overprivileged user, scriptkiddie the most common, or even the admin himself, god knows. May be punjabipredator (basing myself on his/her name) have escalated privileges enough to kill services there, but in that case (talking about what can be stupid) coming here to ask will surely be. I'm too paranoid to go on, I'll have to forget this thread to preserve my health. :D

Matir 12-25-2006 03:14 AM

Also, do you know who started the IRC processes on the machine? If you have no users, then most likely you left an unsecured server exposed to the internet. If this is the case, I'd strongly recommend a reinstall as none of the system can be trusted now.

introuble 12-25-2006 03:59 AM

God damn it you're right runnerfrog:) I completely missed the entropychat entry. And I've looked over the list twice. Argh. I don't think "javascript" IRC servers are possible :-/ Perhaps Java server. I guess it's something related to cPanel. It's too bad the OP can't really clarify things for us.

Quote:

Also, do you know who started the IRC processes on the machine? If you have no users, then most likely you left an unsecured server exposed to the internet. If this is the case, I'd strongly recommend a reinstall as none of the system can be trusted now.
Problem is, who's to say after he reinstalls he won't do the exact same mistakes as the first time, and get owned in the same way etc. [if he did get owned that is]

runnerfrog 12-25-2006 04:14 AM

Sorry to be back because I was institutionalized :)
Quote:

Originally posted by introuble:
I don't think "javascript" IRC servers are possible
Did I said javascript?, yes, wow!, i'm lost, truly.

punjabipredator, very, very late I pay attention to this: "root@cpanel", man!, that cpanel thing includes some chat server, sometimes "entropychat", sometimes "melange", sometimes both. From inside cpanel you should be able to tell that thing to stop loading (I don't have experience with that propietary stuff like cpanel, may be you can't). Here you have a cpanel demo (user:demo passwd:demo):
http://e-serves.net:2082/frontend/rvblue/index.html
see the "java/cgi chat room" under "preinstalled scripts"... anyway, what's apparently starting it can be this cgi code in some webpage served by your apache:

Code:

<form target="entropychat" action="http://your.server.here.com:2084/">
Nick Name: <input type="text" name="nick" value="">
<input type="hidden" name="channel" value="demoaccount.com">
<input type="submit" value="Enter Chat">
</form>

or this other kind of link into html, for a java chat:
http://your.server.here.com/cgi-sys/...erver.here.com

punjabipredator 12-25-2006 04:16 AM

First of all i came here to get help not be bashed around. I am new to linux i have few months experience and my title is irrelevant to this issue if i was a linux expert i wouldn't be here asking for your help. I can install and configure certain things and that does not make me an expert. I did run netstat and found nothing now before it has ircd running and i got rid of that by rebooting and also restarting httpd and then. I enabled this in cpanel Compilers TweakThis tweak will disable the system's c and c++ compilers for unprivileged. Many canned exploits require a working c on the system. You can also choose to allow some users to use the compilers while they remain disabled by default and now i don't have any ircd running but i do not want that happening again and i am not 100% sure if i have fixed this issue or not so i would like your opinion on this.

runnerfrog 12-25-2006 04:29 AM

Quote:

First of all i came here to get help not be bashed around.
No, please, do not think that, it wasn't the intention at all, but excuse my words as far as you can, I was joking myself if you read again, 'cos I just couldn't found what I was looking for, and being tired of getting paranoid, something usual on me. Believe, it's true.
Your answer is inside cpanel as we said before, and I do not have the experience with that specific propietary admin app, so I leave this, until cpanel get GPL'd.
EDITED: my grammar (?).

punjabipredator 12-25-2006 04:48 AM

I have resolved the issue it has been over 8 hours and no bandwidth has gone out of the servers and i also checked netstat and nothing of ircd is showing up. I enabled this in cpanel Compilers TweakThis tweak will disable the system's c and c++ compilers for unprivileged. Many canned exploits require a working c on the system. You can also choose to allow some users to use the compilers while they remain disabled by default and also i was not hacked because nothing was installed and there was 1-2 txt files and that was about it i removed those and then did what i listed above and it has solved the issue. I was told by a support tech to do the following to secure my server against ircd "You can secure the server against ircd using whm options,chkrootkit,Rk hunter,Mod_security etc" I will be doing that and thanks to everyone that helped out including runnerfrog.

Thank You


All times are GMT -5. The time now is 09:37 PM.