Re: Security Breach ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Chris Strzelczyk wrote:
Hello,

Upon checking my MRTG stats on a webserver I am running I found my traffic to be up considerably and the server
to be a bit slow. After taking a look at my active connections to processes with netstat -nap I found these to be scary:


tcp 0 0 204.11.33.35:37326 161.53.2.81:6667 ESTABLISHED 16035/-bash

Login shell connected to IRC server? Not likely. Are users allowed to login to this machine? If they are, it might be some regular user who installed eggdrop or some similar IRC bot, and named it "-bash" in an naive attempt to hide it.


To find out who is running it, try out:

   ps -ef | grep 16035

Or to see what files the process currently keeps open (might help to find where the binary is located):

   lsof -p 16035

Try to nail down the user who is running it, and contact him to confirm that he did that. If you can't confirm, or user is unaware that IRC bot is running under his account, chances are somebody broke into the machine.

If users are not allowed to have shell accounts on the machine, most likely somebody broke to your machine and installed IRC bot waiting for remote commands from some IRC channel.

As for rootkit checking tools, they are not always efficient in detecting root kits. Especially when kernel modules are used to hide them. In that case, you might need to boot from Rescue CD to really see what you have on the disk... Althoug, if you are able to see that "-bash" process with netstat, most likely there's no kernel module installed (on the other hand, it might be lousy written module that doesn't manage to hide everything).

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux