From odd 'nobody' process to unusual and malicious IRC traffic


May 29, 2008
We discovered an odd process on our CPanel server, launched from /usr/sbin/sshd, but running under the name "perl" as the user "nobody." It was taking up a lot of CPU time.

Doing an "lsof | grep <PID number>," I found it would periodically open lots of Apache logs, attempt to start listeners on ports 80 and 443, and launch an IRC connection out to

I started up a packet sniffer to see what the IRC traffic was about and I got this conversation ([email protected] is evidently our box responding to queries as an IRC bot):
:[email protected] PRIVMSG #udp :!ssh 22
:[email protected] PRIVMSG #udp :!ssh 80
:[email protected] PRIVMSG #udp :!dns
:[email protected] PRIVMSG #udp :.4Unable to resolve .. .
:[email protected] PRIVMSG #udp :Conexiunea la (22) e in TIME OUT.
:[email protected] PRIVMSG #udp :Conexiunea la (80) e in TIME OUT.
:[email protected] PRIVMSG #udp :.ACTION of.
:[email protected] PRIVMSG #udp :.ACTION @ somn.
:[email protected] PRIVMSG #udp :!ssh 53
:[email protected] PRIVMSG #udp :Conexiunea la (53) este acceptata!
After seeing that traffic, we had enough and did a "kill -9" to get rid of the process.

Now we're seeing a process that supposedly part of CPanel trying to connect to a myriad of IRC servers:
# lsof -i | grep ircd
chkservd   2327   nobody    0u  IPv4 935805051       TCP> (SYN_SENT)
chkservd   2327   nobody    1u  IPv4 877984138       TCP ***ourIP***:47008-> (ESTABLISHED)
chkservd   2327   nobody    2u  IPv4 877708484       TCP ***ourIP***:44069-> (ESTABLISHED)
chkservd   2327   nobody  396u  IPv4 877852377       TCP ***ourIP***:45815-> (ESTABLISHED)
chkservd   2327   nobody  398u  IPv4 877704785       TCP ***ourIP***:43997-> (ESTABLISHED)
chkservd   2327   nobody  399u  IPv4 877719170       TCP ***another_of_ourIPs***:44211-> (ESTABLISHED)
chkservd   2327   nobody  400u  IPv4 877714142       TCP ***ourIP***:44119-> (ESTABLISHED)
chkservd   2327   nobody  401u  IPv4 877730070       TCP ***yet another_of_ourIPs***:44289-> (ESTABLISHED)
There are several IP addresses configured on the server and these connection attempts are actually being made from different ones--not just the default.

I've run rootkit finders and some clamscans and I've come up with nothing. chkservd is not configured for any IRC services. Any ideas, gentlemen?


Well-Known Member
Jul 21, 2002
This looks like a perl IRC bot which usually gets uploaded to a users web space and run remotely. Virus scanners won't pick that type of thing up since it's not a virus. Upload Guardian will.

Also having Nobody Check installed is a good idea to keep an eye on your nobody/web user processes.


Well-Known Member
May 28, 2005
buddy you are another victim of the Shell Bots kiddies..
this maybe happend because one of your customers have a vulnerable site with a remote file inclusion bug.

one good idea is activate mod_security or snort inline to prevent this intrussions ..

if you are infected with this perl bots your box will be available to be used like a gun against any target shotting a lot of Gbps to someone.

the use of a very good ids constantly updated is one of the best practice i think to prevent this kind of troubles.

Best Regards