You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eben Goodman <eb...@bakedbean.net> on 2005/06/06 23:34:15 UTC
[users@httpd] irc eggdrop exploit woes
I recently had an irc exploit on my server running this eggdrop relay
thing via apache. I was able to find the offending files and remove
them and the eggdrop processes went away for awhile, but now they are
back and try as I might I can't find any files that correspond to this
software. When viewing top it shows the eggdrop processes running as
apache. If I don't reboot the server for a couple days the eggdrop
apache processes start sucking up all cpu and gobbling bandwidth.
Has anyone else dealt with this?
thanks,
Eben
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
Using lsof to look through weird files, is useful too.
dan wrote:
> Eben Goodman wrote:
>
>> I recently had an irc exploit on my server running this eggdrop relay
>> thing via apache. I was able to find the offending files and remove
>> them and the eggdrop processes went away for awhile, but now they are
>> back and try as I might I can't find any files that correspond to this
>> software. When viewing top it shows the eggdrop processes running as
>> apache. If I don't reboot the server for a couple days the eggdrop
>> apache processes start sucking up all cpu and gobbling bandwidth.
>>
>> Has anyone else dealt with this?
>>
>> thanks,
>> Eben
>>
>
> Eben -
>
> If ps or top or whatnot properly displays the PID (you should not assume
> this, but it's something to start with), you can:
>
> ls -la /proc/{pid}/
>
> From there, if this is a poorly written trojan, you can examine 'exe'
> and 'cwd', among many other useful files in that directory, to find out
> where the trojan lives.
>
> From there, you can also 'strace -p {pid}' to find out a little more
> about what it's doing. Although this part is terribly vital, it will
> teach you more about how these kinds of things work, what they do, where
> they came from, and perhaps who is under control of it.
>
> Hope that helps
> -dant
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by dan <in...@hostinthebox.net>.
Eben Goodman wrote:
> I recently had an irc exploit on my server running this eggdrop relay
> thing via apache. I was able to find the offending files and remove
> them and the eggdrop processes went away for awhile, but now they are
> back and try as I might I can't find any files that correspond to this
> software. When viewing top it shows the eggdrop processes running as
> apache. If I don't reboot the server for a couple days the eggdrop
> apache processes start sucking up all cpu and gobbling bandwidth.
>
> Has anyone else dealt with this?
>
> thanks,
> Eben
>
Eben -
If ps or top or whatnot properly displays the PID (you should not assume
this, but it's something to start with), you can:
ls -la /proc/{pid}/
From there, if this is a poorly written trojan, you can examine 'exe'
and 'cwd', among many other useful files in that directory, to find out
where the trojan lives.
From there, you can also 'strace -p {pid}' to find out a little more
about what it's doing. Although this part is terribly vital, it will
teach you more about how these kinds of things work, what they do, where
they came from, and perhaps who is under control of it.
Hope that helps
-dant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by dan <in...@hostinthebox.net>.
Ivan Barrera A. wrote:
> Using some packaged distro (as fedora) is pretty easy
>
> rpm -VVV on each package, and reinstall the affected ones (supossing
> that you have some binary replaced)
>
> The eggdrop.. you can wipe it out of the disk
>
> Eben Goodman wrote:
>
>>I actually know which user it got through on, it came in through an
>>insecure php nuke application. I have since removed the nuke app, but
>>the damage appears to be done, since this eggdrop crap is still running
>>on the server. Is there a way to find, and remove the software once it
>>has found it's way on?
>>
>>thanks,
>>Eben
>>
>>Dan Mahoney, System Admin wrote:
>>
>>
>>>On Mon, 6 Jun 2005, Eben Goodman wrote:
>>>
>>>If you're doing multi-hosting, look into suexec. the fact that it
>>>runs CGI's as the user is kinda secondary to the fact that it shows
>>>you WHICH user uploaded the insecure script.
>>>
>>>For PHP scripts, I've had good luck running suPHP (which is not an
>>>official apache project, but something similar really should be).
>>>
>>>-Dan
>>>
>>>
>>>
>>>>I recently had an irc exploit on my server running this eggdrop relay
>>>>thing via apache. I was able to find the offending files and remove
>>>>them and the eggdrop processes went away for awhile, but now they are
>>>>back and try as I might I can't find any files that correspond to
>>>>this software. When viewing top it shows the eggdrop processes
>>>>running as apache. If I don't reboot the server for a couple days
>>>>the eggdrop apache processes start sucking up all cpu and gobbling
>>>>bandwidth.
>>>>
>>>>Has anyone else dealt with this?
>>>>
>>>>thanks,
>>>>Eben
>>>>
>>>>---------------------------------------------------------------------
>>>>The official User-To-User support forum of the Apache HTTP Server
>>>>Project.
>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>
>>>--
>>>
>>>Amerikanskaya firma Transceptor Technology pristupila k poizvodstu
>>>komputerov "Personal'ni Sputnik"
>>>
>>>--Snap, "The Power"
>>>
Ivan's solution is not "acceptable" in terms of what you *should* do,
but nothing says that you *can't* have a compromised machine on your
network. I'd understand doing this if a) you just didn't care, or b)
you just don't care.
It's never safe to assume that a "little" compromise is as small as it
seems. Always save your data, and restore the OS. But hey, if you've
got some time to spare, by all means investigate the situation and learn
from it, and more importantly, what you can do to prevent it in the future.
During re-installation, make sure that all areas that Apache and PHP
have access to are on filesystems where the 'noexec' bit can be set.
This will make it so that no programs can be excuted off of a given
mounted filesystem. Many people (myself included) make /tmp and
/var/tmp 'noexec' to prevent executions on temp filesystems which
*should* have no executions on them to begin with.
Hope that helps
-dant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
Using some packaged distro (as fedora) is pretty easy
rpm -VVV on each package, and reinstall the affected ones (supossing
that you have some binary replaced)
The eggdrop.. you can wipe it out of the disk
Eben Goodman wrote:
> I actually know which user it got through on, it came in through an
> insecure php nuke application. I have since removed the nuke app, but
> the damage appears to be done, since this eggdrop crap is still running
> on the server. Is there a way to find, and remove the software once it
> has found it's way on?
>
> thanks,
> Eben
>
> Dan Mahoney, System Admin wrote:
>
>> On Mon, 6 Jun 2005, Eben Goodman wrote:
>>
>> If you're doing multi-hosting, look into suexec. the fact that it
>> runs CGI's as the user is kinda secondary to the fact that it shows
>> you WHICH user uploaded the insecure script.
>>
>> For PHP scripts, I've had good luck running suPHP (which is not an
>> official apache project, but something similar really should be).
>>
>> -Dan
>>
>>
>>> I recently had an irc exploit on my server running this eggdrop relay
>>> thing via apache. I was able to find the offending files and remove
>>> them and the eggdrop processes went away for awhile, but now they are
>>> back and try as I might I can't find any files that correspond to
>>> this software. When viewing top it shows the eggdrop processes
>>> running as apache. If I don't reboot the server for a couple days
>>> the eggdrop apache processes start sucking up all cpu and gobbling
>>> bandwidth.
>>>
>>> Has anyone else dealt with this?
>>>
>>> thanks,
>>> Eben
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>> --
>>
>> Amerikanskaya firma Transceptor Technology pristupila k poizvodstu
>> komputerov "Personal'ni Sputnik"
>>
>> --Snap, "The Power"
>>
>> --------Dan Mahoney--------
>> Techie, Sysadmin, WebGeek
>> Gushi on efnet/undernet IRC
>> ICQ: 13735144 AIM: LarpGM
>> Site: http://www.gushi.org
>> ---------------------------
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by Eben Goodman <eb...@bakedbean.net>.
thanks for the help, found the files in /var/tmp... thanks again
Eben
Dan Mahoney, System Admin wrote:
> On Mon, 6 Jun 2005, Eben Goodman wrote:
>
> find / -user apache -print
>
> -Dan
>
>
>> I actually know which user it got through on, it came in through an
>> insecure php nuke application. I have since removed the nuke app,
>> but the damage appears to be done, since this eggdrop crap is still
>> running on the server. Is there a way to find, and remove the
>> software once it has found it's way on?
>>
>> thanks,
>> Eben
>>
>> Dan Mahoney, System Admin wrote:
>>
>>> On Mon, 6 Jun 2005, Eben Goodman wrote:
>>>
>>> If you're doing multi-hosting, look into suexec. the fact that it
>>> runs CGI's as the user is kinda secondary to the fact that it shows
>>> you WHICH user uploaded the insecure script.
>>>
>>> For PHP scripts, I've had good luck running suPHP (which is not an
>>> official apache project, but something similar really should be).
>>>
>>> -Dan
>>>
>>>
>>>> I recently had an irc exploit on my server running this eggdrop
>>>> relay thing via apache. I was able to find the offending files and
>>>> remove them and the eggdrop processes went away for awhile, but now
>>>> they are back and try as I might I can't find any files that
>>>> correspond to this software. When viewing top it shows the eggdrop
>>>> processes running as apache. If I don't reboot the server for a
>>>> couple days the eggdrop apache processes start sucking up all cpu
>>>> and gobbling bandwidth.
>>>>
>>>> Has anyone else dealt with this?
>>>>
>>>> thanks,
>>>> Eben
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>
>>> --
>>>
>>> Amerikanskaya firma Transceptor Technology pristupila k poizvodstu
>>> komputerov "Personal'ni Sputnik"
>>>
>>> --Snap, "The Power"
>>>
>>> --------Dan Mahoney--------
>>> Techie, Sysadmin, WebGeek
>>> Gushi on efnet/undernet IRC
>>> ICQ: 13735144 AIM: LarpGM
>>> Site: http://www.gushi.org
>>> ---------------------------
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> --
>
> "I hate Windows"
>
> -Tigerwolf, Anthrocon 2004
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144 AIM: LarpGM
> Site: http://www.gushi.org
> ---------------------------
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Mon, 6 Jun 2005, Eben Goodman wrote:
find / -user apache -print
-Dan
> I actually know which user it got through on, it came in through an insecure
> php nuke application. I have since removed the nuke app, but the damage
> appears to be done, since this eggdrop crap is still running on the server.
> Is there a way to find, and remove the software once it has found it's way
> on?
>
> thanks,
> Eben
>
> Dan Mahoney, System Admin wrote:
>
>> On Mon, 6 Jun 2005, Eben Goodman wrote:
>>
>> If you're doing multi-hosting, look into suexec. the fact that it runs
>> CGI's as the user is kinda secondary to the fact that it shows you WHICH
>> user uploaded the insecure script.
>>
>> For PHP scripts, I've had good luck running suPHP (which is not an official
>> apache project, but something similar really should be).
>>
>> -Dan
>>
>>
>>> I recently had an irc exploit on my server running this eggdrop relay
>>> thing via apache. I was able to find the offending files and remove them
>>> and the eggdrop processes went away for awhile, but now they are back and
>>> try as I might I can't find any files that correspond to this software.
>>> When viewing top it shows the eggdrop processes running as apache. If I
>>> don't reboot the server for a couple days the eggdrop apache processes
>>> start sucking up all cpu and gobbling bandwidth.
>>>
>>> Has anyone else dealt with this?
>>>
>>> thanks,
>>> Eben
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>> --
>>
>> Amerikanskaya firma Transceptor Technology pristupila k poizvodstu
>> komputerov "Personal'ni Sputnik"
>>
>> --Snap, "The Power"
>>
>> --------Dan Mahoney--------
>> Techie, Sysadmin, WebGeek
>> Gushi on efnet/undernet IRC
>> ICQ: 13735144 AIM: LarpGM
>> Site: http://www.gushi.org
>> ---------------------------
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
"I hate Windows"
-Tigerwolf, Anthrocon 2004
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by zcat <zc...@maxnet.co.nz>.
Eben Goodman wrote:
> I actually know which user it got through on, it came in through an
> insecure php nuke application. I have since removed the nuke app, but
> the damage appears to be done, since this eggdrop crap is still running
> on the server. Is there a way to find, and remove the software once it
> has found it's way on?
>
I would advise a reinstall. It usually works out to be the quickest and
surest way of recovering from a hack.
If you're _certain_ that they never had root, I guess you could find and
remove the files using pstree, netstat, fuser, and ls -a. (pstree -up to
find out what's spawning the rogue process, netstat and fuser to find
out what ports are open and what opened them, ls -a to find hidden
.files and .directories)
From my experience the bot scripts will be in a hidden .directory
somewhere apache can write to (usually /tmp or /dev/shm) and started by
the apache user's crontab.
If you have any reason to suspect that the attacker ever had root access
reinstall the OS. They'll likely have installed all kinds of backdoors,
trojaned logins, kernel modules, and who knows what else. It's just not
practical to track down and remove all that stuff and you can never
really be sure you found everything.
--
Disclaimer: Any disclaimer attached to this message may be ignored.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by Eben Goodman <eb...@bakedbean.net>.
I actually know which user it got through on, it came in through an
insecure php nuke application. I have since removed the nuke app, but
the damage appears to be done, since this eggdrop crap is still running
on the server. Is there a way to find, and remove the software once it
has found it's way on?
thanks,
Eben
Dan Mahoney, System Admin wrote:
> On Mon, 6 Jun 2005, Eben Goodman wrote:
>
> If you're doing multi-hosting, look into suexec. the fact that it
> runs CGI's as the user is kinda secondary to the fact that it shows
> you WHICH user uploaded the insecure script.
>
> For PHP scripts, I've had good luck running suPHP (which is not an
> official apache project, but something similar really should be).
>
> -Dan
>
>
>> I recently had an irc exploit on my server running this eggdrop relay
>> thing via apache. I was able to find the offending files and remove
>> them and the eggdrop processes went away for awhile, but now they are
>> back and try as I might I can't find any files that correspond to
>> this software. When viewing top it shows the eggdrop processes
>> running as apache. If I don't reboot the server for a couple days
>> the eggdrop apache processes start sucking up all cpu and gobbling
>> bandwidth.
>>
>> Has anyone else dealt with this?
>>
>> thanks,
>> Eben
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> --
>
> Amerikanskaya firma Transceptor Technology pristupila k poizvodstu
> komputerov "Personal'ni Sputnik"
>
> --Snap, "The Power"
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144 AIM: LarpGM
> Site: http://www.gushi.org
> ---------------------------
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Mon, 6 Jun 2005, Eben Goodman wrote:
If you're doing multi-hosting, look into suexec. the fact that it runs
CGI's as the user is kinda secondary to the fact that it shows you WHICH
user uploaded the insecure script.
For PHP scripts, I've had good luck running suPHP (which is not an
official apache project, but something similar really should be).
-Dan
> I recently had an irc exploit on my server running this eggdrop relay thing
> via apache. I was able to find the offending files and remove them and the
> eggdrop processes went away for awhile, but now they are back and try as I
> might I can't find any files that correspond to this software. When viewing
> top it shows the eggdrop processes running as apache. If I don't reboot the
> server for a couple days the eggdrop apache processes start sucking up all
> cpu and gobbling bandwidth.
>
> Has anyone else dealt with this?
>
> thanks,
> Eben
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Amerikanskaya firma Transceptor Technology pristupila k poizvodstu komputerov "Personal'ni Sputnik"
--Snap, "The Power"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] irc eggdrop exploit woes
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
Yep.
It is most probably that you were hacked through PHP.
Most common way of "hacking" this way, is abusing sites running
PHP-Nuke, phpBB, and many other sites using "unsafe" programming techniques.
If you look in the mailing archives, you can find lots of answers to
this type of problems.
(consider turning register_globals off, safe_mode on, using somethign
like mod_security, disabling exec on tmp partitions, using chrooted
vhosts, using phpsuexec, etc)
Eben Goodman wrote:
> I recently had an irc exploit on my server running this eggdrop relay
> thing via apache. I was able to find the offending files and remove
> them and the eggdrop processes went away for awhile, but now they are
> back and try as I might I can't find any files that correspond to this
> software. When viewing top it shows the eggdrop processes running as
> apache. If I don't reboot the server for a couple days the eggdrop
> apache processes start sucking up all cpu and gobbling bandwidth.
>
> Has anyone else dealt with this?
>
> thanks,
> Eben
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org