Urgent, possible server compromise....

:eek:

Well, I noticed some 6667 traffic in the cisco ASA… getting blocked… so found the cluprit server…

and on there:

[root@server1 ~]# lsof -i TCP:6667
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 7735 apache 3u IPv4 125657 TCP server1:56882->202.91.37.40:ircd (SYN_SENT)
httpd 14846 apache 3u IPv4 125665 TCP server1:47440->202.159.33.34:ircd (SYN_SENT)
httpd 14863 apache 3u IPv4 125652 TCP server1:47438->202.159.33.34:ircd (SYN_SENT)

chkrootkit / rkhunter show clean…

/tmp is empty… and well… nothing else seems to be a problem… it’s a script that one of my clients has anyway… how do I find the script?

I dont think this time they managed to get in, but they have tried to connect on ports… soo… any ideas?

I think a reasonable piece of advise would be to check the suexec log first- /var/log/httpd/suexec.log - see if any scripts being executed are connecting to IRC.

If you can’t find a “rogue” CGI process connecting to IRC in that log, you might want to look into installing suPHP to get a log of every PHP script that’s running. By default, suPHP runs every PHP script under the user/group that owns it- it also makes sure PHP scripts are running with secure permissions (ie… not 777).

Is this a shared hosting server? If so, chances are someone uploaded either a CGI/PHP script that connects to IRC. If not, it’s possible that your server was compromised and you should definitely look into running suPHP to figure out what was compromised.

Hope this helps!