hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Strange Reading
Reply

Forum Jump

Strange Reading

Reply Post New Thread In Dedicated Server Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru
 
Join Date: May 2006
Posts: 237

Strange Reading


Hey all,

I have a strange reading showing up on the netstat readout for my linux box. It shows one of our nameservers connected to ede.nl.eu.undernet.org:ircd in a Close_Wait status.

Anyone know why this would be, and what ( if anything ) I should do about it?

It has only showed up recently, and so I am kind of puzzled.

Thanks.



Sponsored Links
  #2  
Old
Newbie
 
Join Date: May 2006
Posts: 24
Do you allow shell access to others? Remote connections through PHP/Perl? If not, then try to find which process it's coming from, and run some rootkit detection programs. I'd recommend running them anyways.

  #3  
Old
Junior Guru
 
Join Date: May 2006
Posts: 237
I don't allow shell access and I don't think I have ever set anything for or against remote connections with PHP or Perl. Where can I look to see if there are remote connections allowed?

Sponsored Links
  #4  
Old
Newbie
 
Join Date: May 2006
Posts: 24
If you can do a netstat -np you could possibly see the program using it.

  #5  
Old
Junior Guru
 
Join Date: May 2006
Posts: 237
My original netstat:
Quote:
root@enterprise [~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 1064 0 ns1.*.com:36014 ede.nl.eu.undernet.org:ircd CLOSE_WAIT
My netstat -np readout:

Quote:
root@enterprise [~]# netstat -np
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 1064 0 XXX.XXX.XX.XXX:36014 193.109.122.67:6667 CLOSE_WAIT 1491/[kjournald]
tcp 187 0 XXX.XXX.XX.XXX:59671 193.109.122.67:6667 CLOSE_WAIT 1491/[kjournald]
Anyonoe know why "kjournald" would be having my system connect with undernet ircd?

  #6  
Old
Newbie
 
Join Date: May 2006
Posts: 24
There's a possiblility it's been compromised. Load up rkhunter and run it, and maybe a few others and see if it picks up anything.

  #7  
Old
Web Hosting Guru
 
Join Date: May 2005
Posts: 280
kjournald with pid 1491. Well, not impossible, but not likely either.
Sure looks like some process masq'ing as kjournald.

Maybe a look at /proc/1491 can give you a few tips ? /proc/1491/fd might also contain
interesting information.

  #8  
Old
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 13,181
Looks like you have a psybnc or something like that running. Follow the suggestion about looking in /proc. If that is the case you need to look into securing your server more.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #9  
Old
Junior Guru
 
Join Date: May 2006
Posts: 237
It seemed to be running multiple instances under the same PID . I simply killed it and it hasn't returned in the netstat readouts.

Thanks for your help guys Greatly appreciated.

  #10  
Old
Web Hosting Guru
 
Join Date: May 2005
Posts: 280
You really should give the machine a reboot to see if it comes back, and also to make sure the _correct_ kjournald is running.

  #11  
Old
Disabled
 
Join Date: Mar 2006
Posts: 30
maybe could be an: ircd or psybnc, something about the world of irc..
Look in your /var/tmp, and see if you have got something of strange..

  #12  
Old
Junior Guru
 
Join Date: May 2006
Posts: 237
How can I be sure the correct kjournald is running?

  #13  
Old
Junior Guru
 
Join Date: May 2006
Posts: 237
WHM shows one at the following:

PID 412 (kjournald)
PID 1441 (kjournald)
PID 1491 ([kjournald]) /usr/lib/sshdlib/[kjournald /usr/lib/sshdlib
[kjournald]

  #14  
Old
Web Hosting Guru
 
Join Date: May 2005
Posts: 280
Quote:
Originally Posted by Calibur747
WHM shows one at the following:

PID 412 (kjournald)
PID 1441 (kjournald)
PID 1491 ([kjournald]) /usr/lib/sshdlib/[kjournald /usr/lib/sshdlib
[kjournald]
First, stop using WHM for this kind of thing. It is almost useless.

And yes, your host is compromised.. 412 is the real kjournald process.
You will also notice (if you use "ps auxww") that the real kjournald not only had a low pid, but it also has 0 RSS and VSZ.

/usr/lib/sshdlib/ ? Good bet you have some trace of the backdoor there, but not 100% sure. It can be anywhere.

So, in a nutshell, you are still compromised. And if the process has access to /usr/lib,
then you better rebuild your box from scratch, cause ... well, it is not your box anything. It is the hacker's.

  #15  
Old
Junior Guru
 
Join Date: May 2006
Posts: 237
Went to that directory and I found a bunch of files, including psybnc titled configs and scripts. I deleted this directory promptly.

Any other suggestions?

Reply

Related posts from TheWhir.com
Title Type Date Posted
UK Colo Firm Node4 Acquires Cloud Provider LETN Solutions Web Hosting News 2014-08-07 10:12:18
Wrapping Up the SoftLayer Valuation Blog 2013-11-11 09:53:10
Arbor Networks Reports Alarming Increases in DDoS Attack Size in 2013 Web Hosting News 2013-10-17 13:40:25
Cloudmark Shares Strategies to Avoid Email Blacklisting, Improve Deliverability Blog 2013-05-31 14:57:24
IX Web Hosting (Sort of) Announces New Control Panel Web Hosting News 2012-12-17 16:06:21


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?