[SOLVED] Connections to IRC server, and it's not me
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
For some time now I've been noticing the network activity light for my linux box blinking like mad on my router. After a little looking around for ways to see what connections my box has established, I found the following using lsof -i
I know I'm not using IRC, and I have my sshd locked down fairly tight, requiring a key to log in, so obviously, it looks like there's something or somebody in Croatia (the origin of that IP address) connecting my system to undernet.org for some nefarious purpose. Looking at my processes, ID 13839 shows up as
13839 ? S 0:00 bash
Just 'bash', not '-bash' as
13426 pts/0 S 0:00 -bash
my session appears. Previously, this odd bash process was ID 2704, which seemed to imply that it had launched fairly soon after my system booted up, which really makes me wonder. Oh, and yes, I did kill that 2704 process, and it returned as this 13839. 2704 also had those same IRC connections present in lsof.
Any ideas on where I might start with this? This kind of hacker crap really stresses me out.
to check what's going on. posting of outputs is welcome.
it looks like you're rooted.
IRC is the most used bot control proto.
when you find that malicious app creating connections let us know. Perhaps it's that "bash". Check where it is located. Run rkhunter and other rootkit-checkers.
IIWY I'd also inspect the binary to see if I can find out some details regarding (at least) the IRC connection it's making. Perhaps, if it's joining any particular channel - I'd drop by and say "Hello". Also, what distribution are you using, and where do you stand as far as up-to-date...-ness goes?
The outputs clocked in at about 280k so I've attached them as text files since I was way over the 30k character limit otherwise. As for what I'm running, it's Fedora Core 6. I honestly couldn't tell you how up to date I am on everything since this system is used as a webserver and so I'm not frequently logging into it and tinkering with it's stuff.
Last edited by mrkorb; 02-05-2010 at 01:58 AM.
Reason: Attachments removed
So I headed over to /etc/crond and found this nice little eggdrop bot running. I stop crond, kill the fake bash process, chmod'd all the script files they had in there to -x, and moved all that crap out. Started crond again, and guess what didn't start running again almost immediately like it had before.
I think I'll leave the system unplugged from the network for a few more hours, making sure that the process doesn't start up again somehow, but I'm feeling pretty confident about this.
Oh, I know how I was compromised. It was about 3 months ago, they got in using a phpMyAdmin exploit, which I promptly took down. At the time I also had the default insecure sshd configuration, which I tightened up to the point where even I have problems logging in on occasion. This IRC bot was likely left over from that intursion and I just hadn't caught it until now. If they manage to reestablish themselves, then I'll certainly start thinking about installing a newer OS, but I'm pretty confident that it's much harder now then it was 3 months ago to get into my box.
An unsupported OS can lead to more compromises. You also want to verify that your binaries and kernel weren't altered.
They could have created their own back doors in the time they controlled your server.
There are a lot of things they could have done, yes, I agree. They just haven't. Does it make sense for nothing else to have happened in the last 3 months? I'm completely open to the possibility that this IRC bot was put on the box sometime since I shored up security in November, but it seems improbable to me that a measly IRC bot is all they did with it. They haven't taken over root (which they did the first time), they haven't added users (which they did the first time), they haven't touched the Apache installation (which they did the first time), they haven't done anything vaguely useful with it. This leads me to believe that they have been shut out, and this bot was a leftover from that initial break in. Just because I believe it doesn't make it fact, I'll agree with you, but until there is any evidence to the contrary (and I still have yet to run a rootkit detection program), I have no reason to believe that a problem still exists. I appreciate your concern, but I'm feeling pretty safe about things. Believe me, if something else happens, nobody's gonna be pointing fingers at myself for being too lax more than I will be.
any chance to see that bot? did you remove it?
i'd like to see what it is and try to run it at my virtual machine, to investigate what is it. i'm always curious about such things.
If you didn't remove it, can you mail it to me(use the menu on my nickname on the post)?
Does it make sense (..) it seems improbable (..) They haven't taken over root (..) This leads me to believe that (..) (..) I'm feeling pretty safe about things.
You run a deprecated release, you run insecure SW, admit to having your machine cracked months ago, and you patched it up. At this point you really should consider doing the right thing and not drag things on: arguing doesn't make sense, ensuring integrity does. Given the machines security was breached that means starting from scratch (as I'm pretty sure you are not able to verify machine integrity the right way), not patching things up as you go. You may think it is OK to hold a certain a risk for you, but it also is a risk to other Internet users, meaning us all. However if you still want to have a go at verifying machine state let us know, OK?