How can i kill IRCD?
I have people running IRC on my server how can i kill that connection and also make sure they never come back. Please let me know ASAP. Thank You.
|
Many systems start it from the ../init.d/ircd file; _may be_ in others can it be found at the inet.d too, or xinet.d The whole thing is just disable the service from there. If you have webmin to work, it's the same, disable from System/start-stop (i'm translating the menus). (And Happy Holidays!).
EDIT: Sorry, if you don't need the service, uninstall the package, and they will never come back for sure too, unless you want to serve to one network and not other, which implies firewalling. |
I have no idea what you said. I am new to linux still and don't know much i have installed firewall softwares such as APF, BDF but they are not doing anything and i have had 2 servers that have been taken over by irc and i need a way in which i can kill them off and also ban any irc on my servers.
|
If you have users who are problematic, why don't you just disable their accounts?
|
Three options: 1) Matir's one, disable problematic accounts; 2) uninstalling irc package, bye, bye... but: W.C.S., or almost worst case scenario, _may be_ your users have gain privileges to start an irc service, so: 3) "killall ircd" will disable any service with that name for the moment, and... so much to do, anybody want to help in a list to do here? I'm sorry to say this, but more than help you need to learn about networks and security (mostly accounts privileges and permissions, firewalling, and IDS); it is very strange that you are a newbie and network administrator at the very same time, isn't?. Start telling what's your server's distro, please, and as root do "ps aux" and post the output.
EDIT: corrected "ps aux", instead of ps ax. |
IRC Problem
I don't have any user accounts this is a new server that was built a few hours ago. I am not a server admin and never said i was. I asked my tech support and they told me i had IRC running and i checked and found out i was i slowly killed off most of them but i want to make sure they never come back and basically ban all IRC from my server. I know how to install scripts/programs and configure them so if you guys know any good tool please let me know so i can use it. I am using Redhat Linux ES 4(32 bit)
root@cpanel [~]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 3076 552 ? S Dec24 0:04 init [3] root 2 0.0 0.0 0 0 ? S Dec24 0:00 [migration/0] root 3 0.0 0.0 0 0 ? SN Dec24 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S Dec24 0:00 [migration/1] root 5 0.0 0.0 0 0 ? SN Dec24 0:00 [ksoftirqd/1] root 6 0.0 0.0 0 0 ? S< Dec24 0:00 [events/0] root 7 0.0 0.0 0 0 ? S< Dec24 0:00 [events/1] root 8 0.0 0.0 0 0 ? S< Dec24 0:00 [khelper] root 9 0.0 0.0 0 0 ? S< Dec24 0:00 [kacpid] root 52 0.0 0.0 0 0 ? S< Dec24 0:00 [kblockd/0] root 53 0.0 0.0 0 0 ? S< Dec24 0:00 [kblockd/1] root 54 0.0 0.0 0 0 ? S Dec24 0:00 [khubd] root 71 0.0 0.0 0 0 ? S Dec24 0:00 [pdflush] root 72 0.0 0.0 0 0 ? S Dec24 0:00 [pdflush] root 73 0.0 0.0 0 0 ? S Dec24 0:00 [kswapd0] root 74 0.0 0.0 0 0 ? S< Dec24 0:00 [aio/0] root 75 0.0 0.0 0 0 ? S< Dec24 0:00 [aio/1] root 219 0.0 0.0 0 0 ? S Dec24 0:00 [kseriod] root 332 0.0 0.0 0 0 ? S< Dec24 0:00 [ata/0] root 333 0.0 0.0 0 0 ? S< Dec24 0:00 [ata/1] root 337 0.0 0.0 0 0 ? S Dec24 0:00 [scsi_eh_0] root 338 0.0 0.0 0 0 ? S Dec24 0:00 [scsi_eh_1] root 359 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald] root 1355 0.0 0.0 2328 468 ? S<s Dec24 0:00 udevd root 1407 0.0 0.0 0 0 ? S Dec24 0:00 [shpchpd_event] root 1647 0.0 0.0 0 0 ? S< Dec24 0:00 [kauditd] root 1859 0.0 0.0 0 0 ? S Dec24 0:00 [scsi_eh_2] root 1860 0.0 0.0 0 0 ? S Dec24 0:00 [usb-storage] root 1940 0.0 0.0 0 0 ? S< Dec24 0:00 [kmirrord] root 1962 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald] root 1963 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald] root 1964 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald] root 1965 0.0 0.0 0 0 ? S Dec24 0:00 [kjournald] root 1966 0.0 0.0 0 0 ? S Dec24 0:02 [kjournald] root 3700 0.0 0.0 3108 548 ? Ss Dec24 0:00 syslogd -m 0 root 3704 0.0 0.0 2400 380 ? Ss Dec24 0:00 klogd -x root 3714 0.0 0.0 2152 296 ? Ss Dec24 0:00 irqbalance root 3826 0.0 0.0 4876 340 ? Ss Dec24 0:00 rpc.idmapd root 3899 0.0 0.0 2476 508 ? S Dec24 0:00 /usr/sbin/smartd root 3908 0.0 0.0 2604 436 ? Ss Dec24 0:00 /usr/sbin/acpid root 3918 0.0 0.4 12556 4172 ? S Dec24 0:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a root 3956 0.0 0.1 4960 1136 ? Ss Dec24 0:00 /usr/sbin/sshd root 3969 0.0 0.0 3296 756 ? Ss Dec24 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid ntp 3981 0.0 0.5 5668 5668 ? SLs Dec24 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g root 3999 0.0 0.7 13220 8004 ? S Dec24 0:00 chkservd mailnull 4075 0.0 0.0 8016 856 ? Ss Dec24 0:00 /usr/sbin/exim -bd -q1h mailnull 4082 0.0 0.0 8808 832 ? Ss Dec24 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465 root 4092 0.0 0.0 3232 1016 ? S Dec24 0:00 antirelayd root 4130 0.0 2.2 25676 23596 ? Ss Dec24 0:00 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/sp root 4151 0.0 2.1 25676 22208 ? S Dec24 0:00 spamd child root 4153 0.0 2.1 25676 22128 ? S Dec24 0:00 spamd child root 4161 0.0 0.0 4804 932 ? Ss Dec24 0:00 crond root 5175 0.0 0.4 7196 4740 ? S Dec24 0:00 cpbandwd root 5176 0.0 0.6 10960 6944 ? SN Dec24 0:00 cpanellogd - sleeping for logs nobody 5190 0.0 0.1 3964 1652 ? S Dec24 0:00 entropychat mailman 5206 0.0 0.4 12104 4912 ? Ss Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin dbus 5213 0.0 0.0 3128 816 ? Ss Dec24 0:00 dbus-daemon-1 --system root 5223 0.0 0.0 4228 296 ? Ss Dec24 0:00 rhnsd --interval 240 mailman 5232 0.0 0.6 11628 6704 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin mailman 5233 0.0 0.6 11736 6716 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin mailman 5234 0.0 0.6 10356 6712 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin mailman 5235 0.0 0.6 10856 6704 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin mailman 5236 0.0 0.6 12060 6728 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin mailman 5237 0.0 0.6 10140 6772 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin mailman 5238 0.0 0.6 10588 6696 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin mailman 5239 0.0 0.6 11292 6700 ? S Dec24 0:00 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin root 5240 0.0 0.6 9988 7076 ? Ss Dec24 0:07 hald root 5252 0.0 0.8 17344 8364 ? S Dec24 0:00 cpsrvd - waiting for connections root 5266 0.0 0.0 1480 392 ? Ss Dec24 0:00 /usr/sbin/portsentry -tcp root 5314 0.0 0.1 5920 1236 ? S Dec24 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-fil mysql 5358 0.0 1.3 105984 14396 ? Sl Dec24 0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=my root 5474 0.0 0.0 3180 412 tty1 Ss+ Dec24 0:00 /sbin/mingetty tty1 root 5475 0.0 0.0 1476 412 tty2 Ss+ Dec24 0:00 /sbin/mingetty tty2 root 5476 0.0 0.0 1820 412 tty3 Ss+ Dec24 0:00 /sbin/mingetty tty3 root 5480 0.0 0.0 1908 412 tty4 Ss+ Dec24 0:00 /sbin/mingetty tty4 root 5481 0.0 0.0 3172 412 tty5 Ss+ Dec24 0:00 /sbin/mingetty tty5 root 5483 0.0 0.0 3044 412 tty6 Ss+ Dec24 0:00 /sbin/mingetty tty6 root 5485 0.0 0.0 2592 428 ttyS1 Ss+ Dec24 0:00 /sbin/agetty -h -L ttyS1 19200 vt100 root 8076 0.0 0.4 10264 4620 ? Ss Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8082 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8083 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8084 0.0 0.3 10268 3896 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8085 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8086 0.0 0.3 10268 3908 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8115 0.0 0.3 10268 3904 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL named 8221 0.0 0.4 49764 4268 ? Ssl Dec24 0:00 /usr/sbin/named -u named root 8295 0.0 0.1 7280 1144 ? Ss Dec24 0:00 pure-ftpd (SERVER) root 8298 0.0 0.0 7168 684 ? S Dec24 0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureaut root 8520 0.0 0.0 1748 212 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=im root 8521 0.0 0.0 2440 480 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs= root 8527 0.0 0.0 3492 208 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/imapd-ssl.pid -start -nam root 8528 0.0 0.0 2516 476 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs= root 8533 0.0 0.0 1716 212 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=po root 8534 0.0 0.0 3284 480 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs= root 8539 0.0 0.0 3380 212 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/run/pop3d-ssl.pid -start -nam root 8540 0.0 0.0 3480 480 ? S Dec24 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs= root 8545 0.0 0.0 2372 292 ? S Dec24 0:00 /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -facilit root 8546 0.0 0.0 3084 608 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond root 8547 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond root 8548 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond root 8549 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond root 8550 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond root 8551 0.0 0.0 3084 172 ? S Dec24 0:00 /usr/libexec/courier-authlib/authdaemond nobody 8630 0.0 0.3 10268 3916 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8631 0.0 0.3 10268 3904 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL nobody 8632 0.0 0.3 10268 3904 ? S Dec24 0:00 /usr/local/apache/bin/httpd -DSSL root 24874 0.0 0.2 7532 2316 ? Ss 01:01 0:00 sshd: root@pts/0 root 24876 0.0 0.1 5652 1384 pts/0 Ss 01:01 0:00 -bash root 24917 0.0 0.0 3012 788 pts/0 R+ 01:02 0:00 ps aux |
Eh.. actually. Who says his users don't grab some IRCD source, build it, don't install it and run it. Who says the executable name is "ircd" or anything remotely similar? Who says they're using the standard ports?
BUT. I'm looking at the topic of the thread and then at the OP's posts. I'm thinking that he means people are running IRC clients rather than IRC servers? Also.. I'm not sure but MAYBE these users rooted his box: Quote:
Quote:
So, mr punjabipredator: have you been hacked? Quote:
-- So anyway. Show the following (type those commands and copy+paste the result:) Code:
ps aux Code:
netstat -tunap EDIT: posted after/during previous OP post in which ps aux is given. |
Dude.. IRC is a protocol. Were people running clients or servers from your server?
Quote:
Quote:
Anyway. From your `ps aux` output I can't see anything. Is "IRC" still being run from your servers? |
Quote:
|
Also, do you know who started the IRC processes on the machine? If you have no users, then most likely you left an unsecured server exposed to the internet. If this is the case, I'd strongly recommend a reinstall as none of the system can be trusted now.
|
God damn it you're right runnerfrog:) I completely missed the entropychat entry. And I've looked over the list twice. Argh. I don't think "javascript" IRC servers are possible :-/ Perhaps Java server. I guess it's something related to cPanel. It's too bad the OP can't really clarify things for us.
Quote:
|
Sorry to be back because I was institutionalized :)
Quote:
punjabipredator, very, very late I pay attention to this: "root@cpanel", man!, that cpanel thing includes some chat server, sometimes "entropychat", sometimes "melange", sometimes both. From inside cpanel you should be able to tell that thing to stop loading (I don't have experience with that propietary stuff like cpanel, may be you can't). Here you have a cpanel demo (user:demo passwd:demo): http://e-serves.net:2082/frontend/rvblue/index.html see the "java/cgi chat room" under "preinstalled scripts"... anyway, what's apparently starting it can be this cgi code in some webpage served by your apache: Code:
<form target="entropychat" action="http://your.server.here.com:2084/"> http://your.server.here.com/cgi-sys/...erver.here.com |
First of all i came here to get help not be bashed around. I am new to linux i have few months experience and my title is irrelevant to this issue if i was a linux expert i wouldn't be here asking for your help. I can install and configure certain things and that does not make me an expert. I did run netstat and found nothing now before it has ircd running and i got rid of that by rebooting and also restarting httpd and then. I enabled this in cpanel Compilers TweakThis tweak will disable the system's c and c++ compilers for unprivileged. Many canned exploits require a working c on the system. You can also choose to allow some users to use the compilers while they remain disabled by default and now i don't have any ircd running but i do not want that happening again and i am not 100% sure if i have fixed this issue or not so i would like your opinion on this.
|
Quote:
Your answer is inside cpanel as we said before, and I do not have the experience with that specific propietary admin app, so I leave this, until cpanel get GPL'd. EDITED: my grammar (?). |
I have resolved the issue it has been over 8 hours and no bandwidth has gone out of the servers and i also checked netstat and nothing of ircd is showing up. I enabled this in cpanel Compilers TweakThis tweak will disable the system's c and c++ compilers for unprivileged. Many canned exploits require a working c on the system. You can also choose to allow some users to use the compilers while they remain disabled by default and also i was not hacked because nothing was installed and there was 1-2 txt files and that was about it i removed those and then did what i listed above and it has solved the issue. I was told by a support tech to do the following to secure my server against ircd "You can secure the server against ircd using whm options,chkrootkit,Rk hunter,Mod_security etc" I will be doing that and thanks to everyone that helped out including runnerfrog.
Thank You |
All times are GMT -5. The time now is 05:14 PM. |