drose25
09-29-2004, 04:47 PM
Does anyone know of a good script I can set in cron to check the server regularly for common bots?
 | View Full Version : Bot scanning script CArmstrong 09-29-2004, 06:44 PM Common bots? Not sure, but you could create a cronjob to run RKHunter which has checks for various rootkits, etc. dynamicnet 09-29-2004, 09:49 PM Greetings: Root Kit Detection tools include rkhunter form http://rootkit.nl/ and chkrootkit from http://chkrootkit.org/ Also check out Nessus from http://www.nessus.org/ and nmap from http://www.insecure.org/nmap/ Thank you. drose25 09-30-2004, 12:45 AM I run rkhunter and chkrootkit already, both of which are helpful but they don't detect common IRC bots apparently. apollo 09-30-2004, 07:42 AM well, you can create a small script that scans NETSTAT for 6666-6667 and other outgoing common irc ports. bash + grep is your friend :) well, you got the idea ;] sehe 09-30-2004, 10:09 AM maybe something as simple as netstat -np | grep ":[6|7]000" eth00 09-30-2004, 10:39 AM A firewall that blocks outgoing port as well as incoming ports is very useful. The latest verion of APF can even limit certain ports by UID so if you wanted to host some irc stuff yourself you could. drose25 09-30-2004, 12:29 PM I have APF installed with inbound/outbound blocking enabled. I'm trying to figure out why it didn't block the ports in question. eth00 09-30-2004, 12:36 PM Are you sure that the bot started but just did not really connect? It can still run even if it is not allowed to leave the server by the firewall. andreyka 09-30-2004, 01:08 PM run periodic: killall name_of_bot_1 killall name_of_bot_2 ... |