Results 1 to 8 of 8

Thread: Exploit Attempt

  1. #1

    Exploit Attempt

    When I run netstat -np I see a whole lot of the following:

    tcp 0 0 82.165.243.62:59171 200.143.66.10:6667 ESTABLISHED 14011/httpd -DSSL
    tcp 0 0 82.165.243.62:59168 200.143.66.10:6667 ESTABLISHED 14494/httpd -DSSL
    tcp 0 0 82.165.243.62:57536 200.143.66.10:6667 ESTABLISHED 14501/httpd -DSSL
    tcp 0 0 82.165.243.62:57570 200.143.66.10:6667 ESTABLISHED 14231/httpd -DSSL
    tcp 0 0 82.165.243.62:57427 200.143.66.10:6667 ESTABLISHED 14441/httpd -DSSL
    tcp 0 0 82.165.243.62:57368 200.143.66.10:6667 ESTABLISHED 14053/httpd -DSSL
    tcp 0 0 82.165.243.62:57385 200.143.66.10:6667 ESTABLISHED 14479/httpd -DSSL
    tcp 0 0 82.165.243.62:57814 200.143.66.10:6667 ESTABLISHED 14462/httpd -DSSL
    tcp 0 19 82.165.243.62:57822 200.143.66.10:6667 ESTABLISHED 14106/httpd -DSSL
    tcp 0 0 82.165.243.62:57786 200.143.66.10:6667 ESTABLISHED 14592/httpd -DSSL
    tcp 0 0 82.165.243.62:57647 200.143.66.10:6667 ESTABLISHED 13993/httpd -DSSL
    tcp 0 0 82.165.243.62:57649 200.143.66.10:6667 ESTABLISHED 14355/httpd -DSSL
    tcp 0 0 82.165.243.62:58063 200.143.66.10:6667 ESTABLISHED 14417/httpd -DSSL
    tcp 0 0 82.165.243.62:58070 200.143.66.10:6667 ESTABLISHED 14439/httpd -DSSL
    tcp 0 0 82.165.243.62:58064 200.143.66.10:6667 ESTABLISHED 14504/httpd -DSSL
    tcp 0 0 82.165.243.62:58022 200.143.66.10:6667 ESTABLISHED 14456/httpd -DSSL
    tcp 0 0 82.165.243.62:57957 200.143.66.10:6667 ESTABLISHED 14443/httpd -DSSL
    tcp 0 0 82.165.243.62:57954 200.143.66.10:6667 ESTABLISHED 14611/httpd -DSSL
    tcp 0 0 82.165.243.62:57969 200.143.66.10:6667 ESTABLISHED 14359/httpd -DSSL
    tcp 0 0 82.165.243.62:58367 200.143.66.10:6667 ESTABLISHED 14119/httpd -DSSL
    tcp 0 0 82.165.243.62:58188 200.143.66.10:6667 ESTABLISHED 13921/httpd -DSSL
    tcp 0 0 82.165.243.62:58194 200.143.66.10:6667 ESTABLISHED 14615/httpd -DSSL
    tcp 0 0 82.165.243.62:58141 200.143.66.10:6667 ESTABLISHED 14013/httpd -DSSL
    tcp 0 0 82.165.243.62:60579 200.143.66.10:6667 ESTABLISHED 15828/httpd -DSSL
    tcp 0 0 82.165.243.62:60493 200.143.66.10:6667 ESTABLISHED 15832/httpd -DSSL
    tcp 0 0 82.165.243.62:60867 200.143.66.10:6667 ESTABLISHED 15795/httpd -DSSL
    tcp 0 0 82.165.243.62:60870 200.143.66.10:6667 ESTABLISHED 15696/httpd -DSSL

    Is this someone trying to exploit my server? What should I do? My 'top' shows a load over 200 with a number of perl processes running. I'm not sure I have anything that uses perl but I just moved to this server a 4 days ago. It's running Plesk.

    Any help is GREATLY appreciated.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    that 6667 is a irc port. what does the perl scripts say when you run ps auxwww
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    There isn't perl listed when I do that... I dropped it to a file and have a number of httpd items listed but no perl.

    Any idea why or how my server is using IRC? I have a chat on my site but it's PHP/MYSQL based.

  4. #4
    ok, finally got something to appear in ps auxwww for perl. One is a GET I do via cron and the other is:

    root 20320 0.4 0.6 7840 6380 ? R 11:00 0:00 /usr/bin/perl -w /usr/bin/mrtg /etc/mrtg/mrtg.cfg

  5. #5
    How do I shut off IRC?

  6. #6
    I would configure iptables to drop all packets not destined for services you knowlingly run and support.

  7. #7
    Sorry, true newbie here but can you give me an example iptables command?

  8. #8
    Join Date
    Apr 2005
    Location
    Atlanta, Georgia
    Posts
    521
    Originally posted by jscherbel
    Sorry, true newbie here but can you give me an example iptables command?

    well the first step should be to kill what ever irc process is running feel free to PM me a copy of the output from "ps -auxxxwww"

    if you've got any messangers feel free to take a look at my profile and IM me I'd be happy to help you clean it up

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •