eggdrop / maxed outbound traffic

S

Secret Agent

Guest
I'm having an issue with apache causing serious outgoing / outbound traffic (7mbps average from the server). How do I trace who is causing this? Seems to be some script perhaps.

Code:
User Domain %CPU %MEM Mysql Processes 
nobody  142.54 0.00 0.0 
Top Process %CPU 99.9 [httpd]  
Top Process %CPU 99.8 [httpd]  
Top Process %CPU 72.5 perl udp.pl 202.147.174.150 0 0
Attached is iptraf results for traffic.

Is there any possible method for me to find out which particular client is causing this? There are not that many accounts on the server and WHM bandwidth reports shows nothing higher than 5GB for a particular account for this entire month which is fine.

I ran TOP and noticed eggdrop as well

Code:
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 2401 nobody    25   0  6908 2420 1584 R 99.9  0.1 945:26.15 eggdrop
16597 mysql     20   0  289m 197m 2160 R 98.5  4.9   8:43.17 mysqld
Code:
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 7825 nobody    25   0  6864 2332 1544 R 99.9  0.1 163:41.79 eggdrop-1.6.6
 9156 mysql     17   0  288m 196m 2160 S  0.7  4.9   8:55.38 mysqld
How do I trace where its coming from?

chkrootkit and rkhunter showed nothing abnormal.

/tmp directory shows this currently

Code:
[email protected] [/tmp]# ls -lh
total 8.3M
drwxrwxrwt  10 root     root      12K Nov 13 23:08 ./
drwxr-xr-x  26 root     root     4.0K Nov 12 00:04 ../
-rw-r--r--   1 nobody   nobody    18K Nov 13 02:49 03.txt
-rw-------   1 nobody   nobody   2.9K Nov 12 15:05 1574711424376590abcd56-owM62V
-rw-------   1 nobody   nobody   2.9K Nov 12 15:05 3016881134376592ab2ae3-3QBzD5
-rw-------   1 nobody   nobody   2.9K Nov 12 15:05 6925607043765922c5d13-2T68Bi
-rw-rw-rw-   1 cacio    cacio       5 Nov 12 16:03 .803.1701407
-rw-rw----   1 afroclan afroclan   13 Nov  6 14:33 afroclan-session-0.131096719605015
-rw-rw----   1 afroclan afroclan   13 Nov  6 14:26 afroclan-session-0.602755820685164
-rw-r--r--   1 nobody   nobody    11K Nov 13 01:54 af.txt
-rw-r--r--   1 nobody   nobody    11K Nov 13 01:54 af.txt.1
-rw-rw----   1 alem     alem       13 Nov  8 06:46 alem-session-0.152721696606935
-rw-rw----   1 alem     alem       13 Nov  8 06:46 alem-session-0.818902914718823
-rw-rw----   1 bguzman  bguzman    13 Nov  4 20:39 bguzman-session-0.0209271822395785
-rw-rw----   1 cacio    cacio      13 Nov 13 10:45 cacio-session-0.450913069144921
-rw-rw----   1 callstev callstev   13 Nov  4 05:38 callstev-session-0.273134270756604
-rw-r--r--   1 nobody   nobody   1.8K Nov 12 13:27 cmdtemp
drwxrwxrwx   2 root     root     412K Nov 13 23:07 eaccelerator/
-rw-r--r--   1 mailnull mail        0 Nov 13 23:01 exim_deny.lock
-rw-rw----   1 gboro    gboro      13 Nov 10 08:50 gboro-session-0.0705948195691271
-rw-rw----   1 gmnods   gmnods     13 Nov  9 12:41 gmnods-session-0.221569300702871
-rw-rw----   1 griksco  griksco    13 Nov 13 14:44 griksco-session-0.0503527737028016
drwx------   3 cpanel   cpanel   4.0K Oct 31 22:19 .horde/
-rw-r--r--   1 cpanel   cpanel   5.0K Nov 13 22:29 horde_32001.log
drwxr-xr-x   2 root     root     4.0K Sep 29 01:07 hsperfdata_root/
drwxr-xr-x   2 tomcat   nobody   4.0K Nov 12 00:04 hsperfdata_tomcat/
drwxrwxrwt   2 root     root     4.0K Nov 12 00:02 .ICE-unix/
-rw-------   1 cpanel   cpanel   1.5M Nov 11 01:10 impattd3YglD
-rw-------   1 cpanel   cpanel   6.2M Nov 11 01:08 impattmoHAVn
drwx------   2 root     root      16K Sep 19 17:32 lost+found/
-rw-rw----   1 movar    movar      13 Nov 13 18:59 movar-session-0.592277768141688
-rw-rw----   1 movar    movar      13 Nov 13 18:58 movar-session-0.841485284342529
lrwxrwxrwx   1 root     root       30 Nov 13 23:03 mysql.sock -> ../../var/lib/mysql/mysql.sock=
drwxr-xr-x   3 root     root     4.0K Sep 20 01:09 pear/
drwxr-xr-x   2 nobody   nobody   4.0K Nov 12 23:02 .r/
-rw-r--r--   1 nobody   nobody    44K Nov 13 09:25 rhtools.asp
-rw-rw----   1 ross1420 ross1420   13 Nov  3 17:04 ross1420-session-0.622242444967018
-rw-rw----   1 scraps99 scraps99   13 Nov  9 11:34 scraps99-session-0.134600760023208
-rw-rw----   1 scraps99 scraps99   13 Nov  9 11:35 scraps99-session-0.441470746955932
-rw-rw----   1 scraps99 scraps99   13 Nov  9 12:00 scraps99-session-0.54877675099215
srwxrwxrwx   1 postgres postgres    0 Nov 13 23:07 .s.PGSQL.5432=
-rw-------   1 postgres postgres   26 Nov 13 23:07 .s.PGSQL.5432.lock
-rw-rw----   1 tatenen  tatenen    13 Nov  3 12:30 tatenen-session-0.0324585543285174
-rw-rw----   1 tatenen  tatenen    13 Nov  3 12:29 tatenen-session-0.802486962246807
-rwxr-xr-x   1 nobody   nobody   6.0K Nov 12 16:45 tembak*
-rw-------   1 nobody   nobody   1.3K Nov 12 16:45 tembak.c
-rw-------   1 nobody   nobody   1.2K Nov 12 15:27 udp.pl
-rw-rw----   1 virmax   virmax     13 Nov  7 06:41 virmax-session-0.754337392821075
-rw-rw----   1 virmax   virmax     13 Nov  7 06:41 virmax-session-0.871513405655609
-rw-rw----   1 xtremers xtremers   13 Nov 12 15:09 xtremers-session-0.193744128410803
I did a locate for eggdrop and found the following

[email protected] [/tmp]# locate eggdrop
warning: locate: warning: database /var/lib/slocate/slocate.db' is more than 8 days old
/usr/local/apache/proxy/.dat/doc/man1/eggdrop.1
/usr/local/apache/proxy/.dat/doc/eggdrop.doc
/usr/local/apache/proxy/.dat/.local/temp/doc/man1/eggdrop.1
/usr/local/apache/proxy/.dat/.local/temp/eggdrop-1.6.12
/usr/local/apache/proxy/.dat/.local/temp/eggdrop
/usr/local/apache/proxy/.dat/eggdrop-1.6.6
/usr/local/apache/proxy/.dat/eggdrop
/usr/local/cpanel/etc/sym/eggdrop.sym
/var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop.simple.conf
/var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/doc/man1/eggdrop.1
/var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop-1.6.10
/var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop.advanced.conf
/var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop.complete.conf
/var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop
/var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop.simple.conf
/var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/doc/man1/eggdrop.1
/var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop-1.6.10
/var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop.advanced.conf
/var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop.complete.conf
/var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop
/home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop.simple.conf
/home/doogie/public_html/modules/PNphpBB2/files/djbot/doc/man1/eggdrop.1
/home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop-1.6.10
/home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop.advanced.conf
/home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop.complete.conf
/home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop
/home/doogie/public_html/modules/AutoTheme/.users/doc/man1/eggdrop.1
/home/doogie/public_html/modules/AutoTheme/.users/eggdrop-1.6.12
/home/doogie/public_html/modules/AutoTheme/.users/eggdrop
/home/doogie/public_html/pnTemp/djbot/eggdrop.simple.conf
/home/doogie/public_html/pnTemp/djbot/doc/man1/eggdrop.1
/home/doogie/public_html/pnTemp/djbot/eggdrop-1.6.10
/home/doogie/public_html/pnTemp/djbot/eggdrop.advanced.conf
/home/doogie/public_html/pnTemp/djbot/eggdrop.complete.conf
/home/doogie/public_html/pnTemp/djbot/eggdrop
/home/doogie/public_html/themes/USA-1/djb/eggdrop.simple.conf
/home/doogie/public_html/themes/USA-1/djb/doc/man1/eggdrop.1
/home/doogie/public_html/themes/USA-1/djb/eggdrop-1.6.10
/home/doogie/public_html/themes/USA-1/djb/eggdrop.advanced.conf
/home/doogie/public_html/themes/USA-1/djb/eggdrop.complete.conf
/home/doogie/public_html/themes/USA-1/djb/eggdrop
/home/ammo/public_html/modules/PNphpBB2/files/.dat/doc/man1/eggdrop.1
/home/ammo/public_html/modules/PNphpBB2/files/.dat/doc/eggdrop.doc
/home/ammo/public_html/modules/PNphpBB2/files/.dat/eggdrop-1.6.6
/home/ammo/public_html/modules/PNphpBB2/files/.dat/eggdrop


Specs:
cPanel 10.x
Centos 4.2
APF | BFD | LSM | SIM | Nessus | LES
(just basic portion of security on server)

What procedure would I take to find this out? I believe its a vulnerable script
from Fantastico. Its not the first time.
 

Attachments

emechanic

Member
Aug 27, 2004
19
0
151
my my my

first off kill all processes running as nobody:

killall -g nobody

go ahead and stop your webserver for a few minutes:

/etc/init.d/chkservd stop
/etc/init.d/httpd stop

then:

rm -rf /usr/local/apache/proxy/
touch /usr/local/apache/proxy
chmod 000 /usr/local/apache/proxy
chattr +i /usr/local/apache/proxy

rm -rf /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/*

then update fantastico fo sho man. even then your gonna need to check out fantastico related directories for proper permissions

get rid of every directory instance of djbot and eggdrop.

matter of fact man, if you want email me and I'll hook you up no charge.

tlcoffee at hostingtribe.com