From odd 'nobody' process to unusual and malicious IRC traffic

[jasonb3t]

We discovered an odd process on our CPanel server, launched from /usr/sbin/sshd, but running under the name "perl" as the user "nobody." It was taking up a lot of CPU time.

Doing an "lsof | grep <PID number>," I found it would periodically open lots of Apache logs, attempt to start listeners on ports 80 and 443, and launch an IRC connection out to quakenet2.blueyonder.net.

I started up a packet sniffer to see what the IRC traffic was about and I got this conversation ([email protected] is evidently our box responding to queries as an IRC bot):

PING :blueyonder2.uk.quakenet.org
PONG :blueyonder2.uk.quakenet.org
:[email protected] PRIVMSG #udp :!ssh 77.81.160.1 22
:[email protected] PRIVMSG #udp :!ssh 77.81.160.1 80
:[email protected] PRIVMSG #udp :!dns 77.81.160.1
:[email protected] PRIVMSG #udp :.4Unable to resolve ..77.81.160.1. .
:[email protected] PRIVMSG #udp :Conexiunea la 77.81.160.1 (22) e in TIME OUT.
:[email protected] PRIVMSG #udp :Conexiunea la 77.81.160.1 (80) e in TIME OUT.
:[email protected] PRIVMSG #udp :.ACTION of.
:[email protected] PRIVMSG #udp :.ACTION @ somn.
:[email protected] PRIVMSG #udp :!ssh 77.81.160.1 53
:[email protected] PRIVMSG #udp :Conexiunea la 77.81.160.1 (53) este acceptata!
PING :blueyonder2.uk.quakenet.org
PONG :blueyonder2.uk.quakenet.org
PING :blueyonder2.uk.quakenet.org
PONG :blueyonder2.uk.quakenet.org

After seeing that traffic, we had enough and did a "kill -9" to get rid of the process.

Now we're seeing a process that supposedly part of CPanel trying to connect to a myriad of IRC servers:

# lsof -i | grep ircd
chkservd   2327   nobody    0u  IPv4 935805051       TCP 172.16.0.10:52547->gw-vlan-264.drX-asd2.nl.euro.net:ircd (SYN_SENT)
chkservd   2327   nobody    1u  IPv4 877984138       TCP ***ourIP***:47008->irc.rcn.com:ircd (ESTABLISHED)
chkservd   2327   nobody    2u  IPv4 877708484       TCP ***ourIP***:44069->irc.rcn.com:ircd (ESTABLISHED)
chkservd   2327   nobody  396u  IPv4 877852377       TCP ***ourIP***:45815->irc.rcn.com:ircd (ESTABLISHED)
chkservd   2327   nobody  398u  IPv4 877704785       TCP ***ourIP***:43997->irc.rcn.com:ircd (ESTABLISHED)
chkservd   2327   nobody  399u  IPv4 877719170       TCP ***another_of_ourIPs***:44211->irc.rcn.com:ircd (ESTABLISHED)
chkservd   2327   nobody  400u  IPv4 877714142       TCP ***ourIP***:44119->irc.rcn.com:ircd (ESTABLISHED)
chkservd   2327   nobody  401u  IPv4 877730070       TCP ***yet another_of_ourIPs***:44289->irc.rcn.com:ircd (ESTABLISHED)

There are several IP addresses configured on the server and these connection attempts are actually being made from different ones--not just the default.

I've run rootkit finders and some clamscans and I've come up with nothing. chkservd is not configured for any IRC services. Any ideas, gentlemen?

 

[ramprage]

This looks like a perl IRC bot which usually gets uploaded to a users web space and run remotely. Virus scanners won't pick that type of thing up since it's not a virus. Upload Guardian will.

Also having Nobody Check installed is a good idea to keep an eye on your nobody/web user processes.

 

[IPSecureNetwork]

buddy you are another victim of the Shell Bots kiddies..
this maybe happend because one of your customers have a vulnerable site with a remote file inclusion bug.

one good idea is activate mod_security or snort inline to prevent this intrussions ..

if you are infected with this perl bots your box will be available to be used like a gun against any target shotting a lot of Gbps to someone.

the use of a very good ids constantly updated is one of the best practice i think to prevent this kind of troubles.

Best Regards