Hello,
Upon checking my MRTG stats on a webserver I am running I found my traffic to be up considerably and the server
to be a bit slow. After taking a look at my active connections to processes with netstat -nap I found these to be scary:
tcp 0 0 204.11.33.35:37326 161.53.2.81:6667 ESTABLISHED 16035/-bash
Login shell connected to IRC server? Not likely. Are users allowed to login to this machine? If they are, it might be some regular user who installed eggdrop or some similar IRC bot, and named it "-bash" in an naive attempt to hide it.
To find out who is running it, try out:
ps -ef | grep 16035
Or to see what files the process currently keeps open (might help to find where the binary is located):
lsof -p 16035
Try to nail down the user who is running it, and contact him to confirm that he did that. If you can't confirm, or user is unaware that IRC bot is running under his account, chances are somebody broke into the machine.
If users are not allowed to have shell accounts on the machine, most likely somebody broke to your machine and installed IRC bot waiting for remote commands from some IRC channel.
As for rootkit checking tools, they are not always efficient in detecting root kits. Especially when kernel modules are used to hide them. In that case, you might need to boot from Rescue CD to really see what you have on the disk... Althoug, if you are able to see that "-bash" process with netstat, most likely there's no kernel module installed (on the other hand, it might be lousy written module that doesn't manage to hide everything).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
