The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IRC Tracking

Discussion in 'General Discussion' started by Need4Host, Sep 1, 2006.

  1. Need4Host

    Need4Host Member

    Joined:
    Dec 22, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hello.
    We are running a FreeBSD 5.4 server under cPanel
    We are having a bad problem- a client we cannot track is running IRC applications.
    Is there a script that will track where from IRC scripts are being executed?
    Default WHM IRC proccess killer doesn't help.
    Thanks
     
  2. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Your first step is to shut his traffic down. Block standard IRC ports (6667-6669 and 7000 are common) to incoming and outgoing TCP traffic.
    Is he running a bot, or a server? This is easiest to know by checking if you have traffic leaving your server for port 6667 (a bot), or coming into your server on port 6667 (an IRC server). If you can supply this info, it'll be a lot easier to help with tracking down the user.

    Try a simple (from SSH) ps -aux | grep irc
    See if anything comes up.

    Also try netstat -l --numeric-ports -p |grep 666
    This will tell you if any program is listening on port 666*, and if so, what port, what PID it is running under, and what the program is called. If you suspect a bot, or other outgoing connections (as in, your server is connecting to somewhere else, as opposed to someone else connecting to you), just remove the -l and it will list off incoming.
    If that returns something, then type in "locate <process>" and see where it's at.
     
  3. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    Hi Yah,

    This is what I get:-

    root@k [~]# ps -aux | grep irc
    root 25557 0.0 0.0 4372 628 pts/0 S 06:13 0:00 grep irc
    root@k [~]# ps -aux | grep irc
    root 25678 0.0 0.0 4372 628 pts/0 S 06:14 0:00 grep irc
    root@k [~]# ps -aux | grep irc
    root 25725 0.0 0.0 4372 628 pts/0 S 06:14 0:00 grep irc

    netstat -l --numeric-ports -p |grep 666
    This shows nothing
     
  4. Need4Host

    Need4Host Member

    Joined:
    Dec 22, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Any other ideas about the problem?
     
  5. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, you've piqued my curiosity. How do you know they are running IRC applications? Who informed you, and what was it they showed you at the time to inform you of this? Was there ports mentioned anywhere?
    At the moment, we're kind of shooting blindfolded... all I have to guess on is that you have said they are IRC based... no mention of it being a server or chat bot, whether it was incoming or outgoing, what its doing at the time...
    The more info I can get, the easier it will be to work out. Especially over a message board, as opposed to a more hands-on environment.
     
  6. Need4Host

    Need4Host Member

    Joined:
    Dec 22, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    nobody perl5.8.8 2734 3 tcp4 72.*****:64935 64.57.64.20:6667
    nobody perl5.8.8 2677 3 tcp4 72.*****:64947 64.57.64.20:6667
    nobody perl5.8.8 2451 3 tcp4 72.*****:65086 209.194.54.12:6667
    nobody perl5.8.8 2439 3 tcp4 72.*****:64616 64.57.64.20:6667
    nobody perl5.8.8 2396 3 tcp4 72.*****:64614 64.57.64.20:6667
    nobody perl5.8.8 2000 3 tcp4 72.*****:64684 64.57.64.20:6667
    nobody perl5.8.8 1983 3 tcp4 72.*****:64707 64.57.64.20:6667
    nobody perl5.8.8 1159 3 tcp4 72.*****:64936 64.57.64.20:6667
    nobody perl5.8.8 1140 3 tcp4 72.*****:64683 64.57.64.20:6667
    nobody perl5.8.8 1131 3 tcp4 72.*****:64685 64.57.64.20:6667
    nobody perl5.8.8 1082 3 tcp4 72.*****:53838 64.57.64.20:6667
     
  7. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Your first step then will be to shut down the outgoing connections.
    /sbin/iptables -A OUTPUT -p tcp -m tcp --dport 6667 -j DROP
    You'll want to lsof -p PID the below list of PIDs... assuming they are still running. This should tell you a lot of info about the process, like what files it is calling, what ports it is using (and listening on if necessary)

    2734
    2677
    2451
    2439
    2396
    2000
    1983
    1159
    1140
    1131
    1082

    I also suggest checking your /tmp directory for any stray perl scripts that may have been uploaded and executed without your permission.
    You are certain that this is a script, and not someone running cgi:irc from their website, correct?
     
  8. felosi

    felosi Active Member

    Joined:
    Aug 27, 2006
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    looks like cgi irc or maybe a perl bot.
    But I thought cgi irc just used your own connection to connect to the irc?
    Either way if it is connecting to a public server that can be bad but if just smeone with a gateway if your dc allows it leave them be
     
  9. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    No, cgi:irc uses standard HTTP port to connect to IRC. It's a gaeway between your port 80 web browser, and the IRC Server (running on port 6667). Ths is why it is suggested that people behind firewalls use cgi:irc to connect to a chat server, as it will bypass most filtered internal ports. From a server admin perspective, the user will have the hostname of whichever site they connected from (the default hostname for that IP, anyway), unless they have patched their server (the newest UnrealIRCD comes pre-patched now) and configured the cgi:irc to specifically echo the users IP address to the network. Either way, it's a connection between the webserver and the chat server. Which is why this is the higher likelyhood, seeing as the Data center has not yet terminated her account for outgoing DDoS traffic. The other thing leaning me towards cgi:irc is the number of perl processes connected to a single server. A DDoS bot normally won't connect more than once to the same place.
    Try "locate cgiirc.config"
     
Loading...

Share This Page