It seems that during the last couple of weeks some people have hijacked my Raq 3i to relay ircd or bots. I have to persistently kill PID but they keep coming back.

Is there anyway to prevent this or to block a certain range of ports ? I am sure they have no real access to my server as I usually shut my telnet and ftp access.

You've been hacked/compromised. If there is a process running as a bot, then somebody put this on your computer. Bots simply don't appear -- somebody put it there either directly (they've hacked your machine) or indirectly (they've used a trojan). The next time you see the process, don't kill it -- track it down. Also, investigate what ports the program is opening. If the process keeps comming back, then the hackers most likely setup a cron job to keep their bot alive. Take a look at your cron tabs, download all of your log files.


If you need further assistance, do a ps -auxf and print the output here. Also run, netstat -vat and netstat -anp.

(Note, when you post the output surround it by code tags so that it lines up nicely).

They could be running a cron job that restarts the service if it fails...

Honestly, if you have been hacked like that, you probably need to do a full restore of the OS.