Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Many systems start it from the ../init.d/ircd file; _may be_ in others can it be found at the inet.d too, or xinet.d The whole thing is just disable the service from there. If you have webmin to work, it's the same, disable from System/start-stop (i'm translating the menus). (And Happy Holidays!).
EDIT: Sorry, if you don't need the service, uninstall the package, and they will never come back for sure too, unless you want to serve to one network and not other, which implies firewalling.
Last edited by runnerfrog; 12-24-2006 at 08:46 PM.
I have no idea what you said. I am new to linux still and don't know much i have installed firewall softwares such as APF, BDF but they are not doing anything and i have had 2 servers that have been taken over by irc and i need a way in which i can kill them off and also ban any irc on my servers.
Three options: 1) Matir's one, disable problematic accounts; 2) uninstalling irc package, bye, bye... but: W.C.S., or almost worst case scenario, _may be_ your users have gain privileges to start an irc service, so: 3) "killall ircd" will disable any service with that name for the moment, and... so much to do, anybody want to help in a list to do here? I'm sorry to say this, but more than help you need to learn about networks and security (mostly accounts privileges and permissions, firewalling, and IDS); it is very strange that you are a newbie and network administrator at the very same time, isn't?. Start telling what's your server's distro, please, and as root do "ps aux" and post the output.
EDIT: corrected "ps aux", instead of ps ax.
Last edited by runnerfrog; 12-24-2006 at 10:27 PM.
I don't have any user accounts this is a new server that was built a few hours ago. I am not a server admin and never said i was. I asked my tech support and they told me i had IRC running and i checked and found out i was i slowly killed off most of them but i want to make sure they never come back and basically ban all IRC from my server. I know how to install scripts/programs and configure them so if you guys know any good tool please let me know so i can use it. I am using Redhat Linux ES 4(32 bit)
Eh.. actually. Who says his users don't grab some IRCD source, build it, don't install it and run it. Who says the executable name is "ircd" or anything remotely similar? Who says they're using the standard ports?
BUT. I'm looking at the topic of the thread and then at the OP's posts. I'm thinking that he means people are running IRC clients rather than IRC servers?
Also.. I'm not sure but MAYBE these users rooted his box:
Quote:
make sure they never come back
(who's "they");
Quote:
i have had 2 servers that have been taken over by irc
Perhaps he's talking about the attackers installing psyBNC on his compromised hosts [a common thing for script kiddies to do].
So, mr punjabipredator: have you been hacked?
Quote:
it is very strange that you are a newbie and network administrator at the very same time, isn't?
Strange would be something that doesn't happen very often. I don't think that's the case. I believe the above situation is fairly common. Stupid? You bet.
--
So anyway. Show the following (type those commands and copy+paste the result
Code:
ps aux
Code:
netstat -tunap
--
EDIT: posted after/during previous OP post in which ps aux is given.
Originally posted by introuble:
From your `ps aux` output I can't see anything.
Hi, introuble. May be you missed "entropychat", started by user "nobody", with PID 5190; unless it's harmless, because I never knew of it... don't know what it is , besides a javascript based irc server, may be it cames from the webserver, that's possibly why the nobody user started it, or may be was started by a script, or an overprivileged user, scriptkiddie the most common, or even the admin himself, god knows. May be punjabipredator (basing myself on his/her name) have escalated privileges enough to kill services there, but in that case (talking about what can be stupid) coming here to ask will surely be. I'm too paranoid to go on, I'll have to forget this thread to preserve my health.
Also, do you know who started the IRC processes on the machine? If you have no users, then most likely you left an unsecured server exposed to the internet. If this is the case, I'd strongly recommend a reinstall as none of the system can be trusted now.
God damn it you're right runnerfrog I completely missed the entropychat entry. And I've looked over the list twice. Argh. I don't think "javascript" IRC servers are possible :-/ Perhaps Java server. I guess it's something related to cPanel. It's too bad the OP can't really clarify things for us.
Quote:
Also, do you know who started the IRC processes on the machine? If you have no users, then most likely you left an unsecured server exposed to the internet. If this is the case, I'd strongly recommend a reinstall as none of the system can be trusted now.
Problem is, who's to say after he reinstalls he won't do the exact same mistakes as the first time, and get owned in the same way etc. [if he did get owned that is]
Originally posted by introuble:
I don't think "javascript" IRC servers are possible
Did I said javascript?, yes, wow!, i'm lost, truly.
punjabipredator, very, very late I pay attention to this: "root@cpanel", man!, that cpanel thing includes some chat server, sometimes "entropychat", sometimes "melange", sometimes both. From inside cpanel you should be able to tell that thing to stop loading (I don't have experience with that propietary stuff like cpanel, may be you can't). Here you have a cpanel demo (user:demo passwd:demo): http://e-serves.net:2082/frontend/rvblue/index.html
see the "java/cgi chat room" under "preinstalled scripts"... anyway, what's apparently starting it can be this cgi code in some webpage served by your apache:
First of all i came here to get help not be bashed around. I am new to linux i have few months experience and my title is irrelevant to this issue if i was a linux expert i wouldn't be here asking for your help. I can install and configure certain things and that does not make me an expert. I did run netstat and found nothing now before it has ircd running and i got rid of that by rebooting and also restarting httpd and then. I enabled this in cpanel Compilers TweakThis tweak will disable the system's c and c++ compilers for unprivileged. Many canned exploits require a working c on the system. You can also choose to allow some users to use the compilers while they remain disabled by default and now i don't have any ircd running but i do not want that happening again and i am not 100% sure if i have fixed this issue or not so i would like your opinion on this.
Last edited by punjabipredator; 12-25-2006 at 03:19 AM.
First of all i came here to get help not be bashed around.
No, please, do not think that, it wasn't the intention at all, but excuse my words as far as you can, I was joking myself if you read again, 'cos I just couldn't found what I was looking for, and being tired of getting paranoid, something usual on me. Believe, it's true.
Your answer is inside cpanel as we said before, and I do not have the experience with that specific propietary admin app, so I leave this, until cpanel get GPL'd.
EDITED: my grammar (?).
Last edited by runnerfrog; 12-25-2006 at 03:33 AM.
I have resolved the issue it has been over 8 hours and no bandwidth has gone out of the servers and i also checked netstat and nothing of ircd is showing up. I enabled this in cpanel Compilers TweakThis tweak will disable the system's c and c++ compilers for unprivileged. Many canned exploits require a working c on the system. You can also choose to allow some users to use the compilers while they remain disabled by default and also i was not hacked because nothing was installed and there was 1-2 txt files and that was about it i removed those and then did what i listed above and it has solved the issue. I was told by a support tech to do the following to secure my server against ircd "You can secure the server against ircd using whm options,chkrootkit,Rk hunter,Mod_security etc" I will be doing that and thanks to everyone that helped out including runnerfrog.
Thank You
Last edited by punjabipredator; 12-25-2006 at 03:49 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
