Results 1 to 8 of 8
Thread: Exploit Attempt
-
07-06-2005, 10:45 AM #1Newbie
- Join Date
- Jul 2005
- Posts
- 7
Exploit Attempt
When I run netstat -np I see a whole lot of the following:
tcp 0 0 82.165.243.62:59171 200.143.66.10:6667 ESTABLISHED 14011/httpd -DSSL
tcp 0 0 82.165.243.62:59168 200.143.66.10:6667 ESTABLISHED 14494/httpd -DSSL
tcp 0 0 82.165.243.62:57536 200.143.66.10:6667 ESTABLISHED 14501/httpd -DSSL
tcp 0 0 82.165.243.62:57570 200.143.66.10:6667 ESTABLISHED 14231/httpd -DSSL
tcp 0 0 82.165.243.62:57427 200.143.66.10:6667 ESTABLISHED 14441/httpd -DSSL
tcp 0 0 82.165.243.62:57368 200.143.66.10:6667 ESTABLISHED 14053/httpd -DSSL
tcp 0 0 82.165.243.62:57385 200.143.66.10:6667 ESTABLISHED 14479/httpd -DSSL
tcp 0 0 82.165.243.62:57814 200.143.66.10:6667 ESTABLISHED 14462/httpd -DSSL
tcp 0 19 82.165.243.62:57822 200.143.66.10:6667 ESTABLISHED 14106/httpd -DSSL
tcp 0 0 82.165.243.62:57786 200.143.66.10:6667 ESTABLISHED 14592/httpd -DSSL
tcp 0 0 82.165.243.62:57647 200.143.66.10:6667 ESTABLISHED 13993/httpd -DSSL
tcp 0 0 82.165.243.62:57649 200.143.66.10:6667 ESTABLISHED 14355/httpd -DSSL
tcp 0 0 82.165.243.62:58063 200.143.66.10:6667 ESTABLISHED 14417/httpd -DSSL
tcp 0 0 82.165.243.62:58070 200.143.66.10:6667 ESTABLISHED 14439/httpd -DSSL
tcp 0 0 82.165.243.62:58064 200.143.66.10:6667 ESTABLISHED 14504/httpd -DSSL
tcp 0 0 82.165.243.62:58022 200.143.66.10:6667 ESTABLISHED 14456/httpd -DSSL
tcp 0 0 82.165.243.62:57957 200.143.66.10:6667 ESTABLISHED 14443/httpd -DSSL
tcp 0 0 82.165.243.62:57954 200.143.66.10:6667 ESTABLISHED 14611/httpd -DSSL
tcp 0 0 82.165.243.62:57969 200.143.66.10:6667 ESTABLISHED 14359/httpd -DSSL
tcp 0 0 82.165.243.62:58367 200.143.66.10:6667 ESTABLISHED 14119/httpd -DSSL
tcp 0 0 82.165.243.62:58188 200.143.66.10:6667 ESTABLISHED 13921/httpd -DSSL
tcp 0 0 82.165.243.62:58194 200.143.66.10:6667 ESTABLISHED 14615/httpd -DSSL
tcp 0 0 82.165.243.62:58141 200.143.66.10:6667 ESTABLISHED 14013/httpd -DSSL
tcp 0 0 82.165.243.62:60579 200.143.66.10:6667 ESTABLISHED 15828/httpd -DSSL
tcp 0 0 82.165.243.62:60493 200.143.66.10:6667 ESTABLISHED 15832/httpd -DSSL
tcp 0 0 82.165.243.62:60867 200.143.66.10:6667 ESTABLISHED 15795/httpd -DSSL
tcp 0 0 82.165.243.62:60870 200.143.66.10:6667 ESTABLISHED 15696/httpd -DSSL
Is this someone trying to exploit my server? What should I do? My 'top' shows a load over 200 with a number of perl processes running. I'm not sure I have anything that uses perl but I just moved to this server a 4 days ago. It's running Plesk.
Any help is GREATLY appreciated.
-
07-06-2005, 10:47 AM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
that 6667 is a irc port. what does the perl scripts say when you run ps auxwww
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
07-06-2005, 10:50 AM #3Newbie
- Join Date
- Jul 2005
- Posts
- 7
There isn't perl listed when I do that... I dropped it to a file and have a number of httpd items listed but no perl.
Any idea why or how my server is using IRC? I have a chat on my site but it's PHP/MYSQL based.
-
07-06-2005, 11:01 AM #4Newbie
- Join Date
- Jul 2005
- Posts
- 7
ok, finally got something to appear in ps auxwww for perl. One is a GET I do via cron and the other is:
root 20320 0.4 0.6 7840 6380 ? R 11:00 0:00 /usr/bin/perl -w /usr/bin/mrtg /etc/mrtg/mrtg.cfg
-
07-06-2005, 12:25 PM #5Newbie
- Join Date
- Jul 2005
- Posts
- 7
How do I shut off IRC?
-
07-06-2005, 12:32 PM #6Newbie
- Join Date
- Jan 2003
- Posts
- 5
I would configure iptables to drop all packets not destined for services you knowlingly run and support.
-
07-06-2005, 12:35 PM #7Newbie
- Join Date
- Jul 2005
- Posts
- 7
Sorry, true newbie here but can you give me an example iptables command?
-
07-06-2005, 01:13 PM #8Disabled
- Join Date
- Apr 2005
- Location
- Atlanta, Georgia
- Posts
- 521
Originally posted by jscherbel
Sorry, true newbie here but can you give me an example iptables command?
well the first step should be to kill what ever irc process is running feel free to PM me a copy of the output from "ps -auxxxwww"
if you've got any messangers feel free to take a look at my profile and IM me I'd be happy to help you clean it up