The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

eggdrop / maxed outbound traffic

Discussion in 'General Discussion' started by Secret Agent, Nov 13, 2005.

  1. Secret Agent

    Secret Agent Guest

    I'm having an issue with apache causing serious outgoing / outbound traffic (7mbps average from the server). How do I trace who is causing this? Seems to be some script perhaps.

    Code:
    User Domain %CPU %MEM Mysql Processes 
    nobody  142.54 0.00 0.0 
    Top Process %CPU 99.9 [httpd]  
    Top Process %CPU 99.8 [httpd]  
    Top Process %CPU 72.5 perl udp.pl 202.147.174.150 0 0 
    
    Attached is iptraf results for traffic.

    Is there any possible method for me to find out which particular client is causing this? There are not that many accounts on the server and WHM bandwidth reports shows nothing higher than 5GB for a particular account for this entire month which is fine.

    I ran TOP and noticed eggdrop as well

    Code:
    
      PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
     2401 nobody    25   0  6908 2420 1584 R 99.9  0.1 945:26.15 eggdrop
    16597 mysql     20   0  289m 197m 2160 R 98.5  4.9   8:43.17 mysqld
    
    Code:
      PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
     7825 nobody    25   0  6864 2332 1544 R 99.9  0.1 163:41.79 eggdrop-1.6.6
     9156 mysql     17   0  288m 196m 2160 S  0.7  4.9   8:55.38 mysqld
    
    How do I trace where its coming from?

    chkrootkit and rkhunter showed nothing abnormal.

    /tmp directory shows this currently

    Code:
    root@server4 [/tmp]# ls -lh
    total 8.3M
    drwxrwxrwt  10 root     root      12K Nov 13 23:08 ./
    drwxr-xr-x  26 root     root     4.0K Nov 12 00:04 ../
    -rw-r--r--   1 nobody   nobody    18K Nov 13 02:49 03.txt
    -rw-------   1 nobody   nobody   2.9K Nov 12 15:05 1574711424376590abcd56-owM62V
    -rw-------   1 nobody   nobody   2.9K Nov 12 15:05 3016881134376592ab2ae3-3QBzD5
    -rw-------   1 nobody   nobody   2.9K Nov 12 15:05 6925607043765922c5d13-2T68Bi
    -rw-rw-rw-   1 cacio    cacio       5 Nov 12 16:03 .803.1701407
    -rw-rw----   1 afroclan afroclan   13 Nov  6 14:33 afroclan-session-0.131096719605015
    -rw-rw----   1 afroclan afroclan   13 Nov  6 14:26 afroclan-session-0.602755820685164
    -rw-r--r--   1 nobody   nobody    11K Nov 13 01:54 af.txt
    -rw-r--r--   1 nobody   nobody    11K Nov 13 01:54 af.txt.1
    -rw-rw----   1 alem     alem       13 Nov  8 06:46 alem-session-0.152721696606935
    -rw-rw----   1 alem     alem       13 Nov  8 06:46 alem-session-0.818902914718823
    -rw-rw----   1 bguzman  bguzman    13 Nov  4 20:39 bguzman-session-0.0209271822395785
    -rw-rw----   1 cacio    cacio      13 Nov 13 10:45 cacio-session-0.450913069144921
    -rw-rw----   1 callstev callstev   13 Nov  4 05:38 callstev-session-0.273134270756604
    -rw-r--r--   1 nobody   nobody   1.8K Nov 12 13:27 cmdtemp
    drwxrwxrwx   2 root     root     412K Nov 13 23:07 eaccelerator/
    -rw-r--r--   1 mailnull mail        0 Nov 13 23:01 exim_deny.lock
    -rw-rw----   1 gboro    gboro      13 Nov 10 08:50 gboro-session-0.0705948195691271
    -rw-rw----   1 gmnods   gmnods     13 Nov  9 12:41 gmnods-session-0.221569300702871
    -rw-rw----   1 griksco  griksco    13 Nov 13 14:44 griksco-session-0.0503527737028016
    drwx------   3 cpanel   cpanel   4.0K Oct 31 22:19 .horde/
    -rw-r--r--   1 cpanel   cpanel   5.0K Nov 13 22:29 horde_32001.log
    drwxr-xr-x   2 root     root     4.0K Sep 29 01:07 hsperfdata_root/
    drwxr-xr-x   2 tomcat   nobody   4.0K Nov 12 00:04 hsperfdata_tomcat/
    drwxrwxrwt   2 root     root     4.0K Nov 12 00:02 .ICE-unix/
    -rw-------   1 cpanel   cpanel   1.5M Nov 11 01:10 impattd3YglD
    -rw-------   1 cpanel   cpanel   6.2M Nov 11 01:08 impattmoHAVn
    drwx------   2 root     root      16K Sep 19 17:32 lost+found/
    -rw-rw----   1 movar    movar      13 Nov 13 18:59 movar-session-0.592277768141688
    -rw-rw----   1 movar    movar      13 Nov 13 18:58 movar-session-0.841485284342529
    lrwxrwxrwx   1 root     root       30 Nov 13 23:03 mysql.sock -> ../../var/lib/mysql/mysql.sock=
    drwxr-xr-x   3 root     root     4.0K Sep 20 01:09 pear/
    drwxr-xr-x   2 nobody   nobody   4.0K Nov 12 23:02 .r/
    -rw-r--r--   1 nobody   nobody    44K Nov 13 09:25 rhtools.asp
    -rw-rw----   1 ross1420 ross1420   13 Nov  3 17:04 ross1420-session-0.622242444967018
    -rw-rw----   1 scraps99 scraps99   13 Nov  9 11:34 scraps99-session-0.134600760023208
    -rw-rw----   1 scraps99 scraps99   13 Nov  9 11:35 scraps99-session-0.441470746955932
    -rw-rw----   1 scraps99 scraps99   13 Nov  9 12:00 scraps99-session-0.54877675099215
    srwxrwxrwx   1 postgres postgres    0 Nov 13 23:07 .s.PGSQL.5432=
    -rw-------   1 postgres postgres   26 Nov 13 23:07 .s.PGSQL.5432.lock
    -rw-rw----   1 tatenen  tatenen    13 Nov  3 12:30 tatenen-session-0.0324585543285174
    -rw-rw----   1 tatenen  tatenen    13 Nov  3 12:29 tatenen-session-0.802486962246807
    -rwxr-xr-x   1 nobody   nobody   6.0K Nov 12 16:45 tembak*
    -rw-------   1 nobody   nobody   1.3K Nov 12 16:45 tembak.c
    -rw-------   1 nobody   nobody   1.2K Nov 12 15:27 udp.pl
    -rw-rw----   1 virmax   virmax     13 Nov  7 06:41 virmax-session-0.754337392821075
    -rw-rw----   1 virmax   virmax     13 Nov  7 06:41 virmax-session-0.871513405655609
    -rw-rw----   1 xtremers xtremers   13 Nov 12 15:09 xtremers-session-0.193744128410803
    
    I did a locate for eggdrop and found the following

    root@server4 [/tmp]# locate eggdrop
    warning: locate: warning: database /var/lib/slocate/slocate.db' is more than 8 days old
    /usr/local/apache/proxy/.dat/doc/man1/eggdrop.1
    /usr/local/apache/proxy/.dat/doc/eggdrop.doc
    /usr/local/apache/proxy/.dat/.local/temp/doc/man1/eggdrop.1
    /usr/local/apache/proxy/.dat/.local/temp/eggdrop-1.6.12
    /usr/local/apache/proxy/.dat/.local/temp/eggdrop
    /usr/local/apache/proxy/.dat/eggdrop-1.6.6
    /usr/local/apache/proxy/.dat/eggdrop
    /usr/local/cpanel/etc/sym/eggdrop.sym
    /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop.simple.conf
    /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/doc/man1/eggdrop.1
    /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop-1.6.10
    /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop.advanced.conf
    /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop.complete.conf
    /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/djb/eggdrop
    /var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop.simple.conf
    /var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/doc/man1/eggdrop.1
    /var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop-1.6.10
    /var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop.advanced.conf
    /var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop.complete.conf
    /var/netenberg/fantastico_de_luxe/master_files/phpCOIN/coin_themes/earthtone/djistra/djb/eggdrop
    /home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop.simple.conf
    /home/doogie/public_html/modules/PNphpBB2/files/djbot/doc/man1/eggdrop.1
    /home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop-1.6.10
    /home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop.advanced.conf
    /home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop.complete.conf
    /home/doogie/public_html/modules/PNphpBB2/files/djbot/eggdrop
    /home/doogie/public_html/modules/AutoTheme/.users/doc/man1/eggdrop.1
    /home/doogie/public_html/modules/AutoTheme/.users/eggdrop-1.6.12
    /home/doogie/public_html/modules/AutoTheme/.users/eggdrop
    /home/doogie/public_html/pnTemp/djbot/eggdrop.simple.conf
    /home/doogie/public_html/pnTemp/djbot/doc/man1/eggdrop.1
    /home/doogie/public_html/pnTemp/djbot/eggdrop-1.6.10
    /home/doogie/public_html/pnTemp/djbot/eggdrop.advanced.conf
    /home/doogie/public_html/pnTemp/djbot/eggdrop.complete.conf
    /home/doogie/public_html/pnTemp/djbot/eggdrop
    /home/doogie/public_html/themes/USA-1/djb/eggdrop.simple.conf
    /home/doogie/public_html/themes/USA-1/djb/doc/man1/eggdrop.1
    /home/doogie/public_html/themes/USA-1/djb/eggdrop-1.6.10
    /home/doogie/public_html/themes/USA-1/djb/eggdrop.advanced.conf
    /home/doogie/public_html/themes/USA-1/djb/eggdrop.complete.conf
    /home/doogie/public_html/themes/USA-1/djb/eggdrop
    /home/ammo/public_html/modules/PNphpBB2/files/.dat/doc/man1/eggdrop.1
    /home/ammo/public_html/modules/PNphpBB2/files/.dat/doc/eggdrop.doc
    /home/ammo/public_html/modules/PNphpBB2/files/.dat/eggdrop-1.6.6
    /home/ammo/public_html/modules/PNphpBB2/files/.dat/eggdrop


    Specs:
    cPanel 10.x
    Centos 4.2
    APF | BFD | LSM | SIM | Nessus | LES
    (just basic portion of security on server)

    What procedure would I take to find this out? I believe its a vulnerable script
    from Fantastico. Its not the first time.
     

    Attached Files:

  2. emechanic

    emechanic Member

    Joined:
    Aug 27, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    my my my

    first off kill all processes running as nobody:

    killall -g nobody

    go ahead and stop your webserver for a few minutes:

    /etc/init.d/chkservd stop
    /etc/init.d/httpd stop

    then:

    rm -rf /usr/local/apache/proxy/
    touch /usr/local/apache/proxy
    chmod 000 /usr/local/apache/proxy
    chattr +i /usr/local/apache/proxy

    rm -rf /var/netenberg/fantastico_de_luxe/master_files/Xoops/uploads/*

    then update fantastico fo sho man. even then your gonna need to check out fantastico related directories for proper permissions

    get rid of every directory instance of djbot and eggdrop.

    matter of fact man, if you want email me and I'll hook you up no charge.

    tlcoffee at hostingtribe.com
     
Loading...
Similar Threads - eggdrop maxed outbound
  1. keat63
    Replies:
    2
    Views:
    369

Share This Page