major problem with eggdrop / crontab maybe

[chadi]

I am not sure what this is here but I've been getting these emails constantly, about 3-4 every ten minutes. Copies of the emails are below:

Couldn't find bot 'Fandy' running, reloading...

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19746
[21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
[21:20] Module loaded: transfer
[21:20] Listening at telnet port 9999 (users)
[21:20] Module loaded: channels
[21:20] Module loaded: server
[21:20] Module loaded: ctcp
[21:20] Module loaded: irc
[21:20] Module loaded: share
[21:20] Module loaded: filesys (with lang support)
[21:20] Module loaded: notes (with lang support)
[21:20] Module loaded: console (with lang support)
[21:20] Module loaded: blowfish
[21:20] Module loaded: assoc (with lang support)
[21:20] Module loaded: wire (with lang support)
[21:20] Tcl error in file 'a':
[21:20] invalid command name "proc_msgshowallinfo"
while executing
"proc_msgshowallinfo {nick uhost hand rest} {
global nick nickpass realname owner kops my-ip banner cycle_random
global notc notm logstore cfgfile ban-..."
(file "scripts/ary.tcl" line 679)
invoked from within
"source scripts/ary.tcl"
[21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
[21:20] 3
[21:20] Attempt to kill un-allocated socket 3 !!

Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
support by Akke


Couldn't find bot 'psfonts' running, reloading...

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19754
[21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
[21:20] Module loaded: transfer
[21:20] Listening at telnet port 9999 (users)
[21:20] Module loaded: channels
[21:20] Module loaded: server
[21:20] Module loaded: ctcp
[21:20] Module loaded: irc
[21:20] Module loaded: share
[21:20] Module loaded: filesys (with lang support)
[21:20] Module loaded: notes (with lang support)
[21:20] Module loaded: console (with lang support)
[21:20] Module loaded: blowfish
[21:20] Module loaded: assoc (with lang support)
[21:20] Module loaded: wire (with lang support)
[21:20] Tcl error in file 'b':
[21:20] invalid command name "proc_msgshowallinfo"
while executing
"proc_msgshowallinfo {nick uhost hand rest} {
global nick nickpass realname owner kops my-ip banner cycle_random
global notc notm logstore cfgfile ban-..."
(file "scripts/ary.tcl" line 679)
invoked from within
"source scripts/ary.tcl"
[21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
[21:20] 3
[21:20] Attempt to kill un-allocated socket 3 !!

Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
support by Akke


Couldn't find bot 'D00r' running, reloading...

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19751
[21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
[21:20] Module loaded: transfer
[21:20] Listening at telnet port 9999 (users)
[21:20] Module loaded: channels
[21:20] Module loaded: server
[21:20] Module loaded: ctcp
[21:20] Module loaded: irc
[21:20] Module loaded: share
[21:20] Module loaded: filesys (with lang support)
[21:20] Module loaded: notes (with lang support)
[21:20] Module loaded: console (with lang support)
[21:20] Module loaded: blowfish
[21:20] Module loaded: assoc (with lang support)
[21:20] Module loaded: wire (with lang support)
[21:20] Tcl error in file 'c':
[21:20] invalid command name "proc_msgshowallinfo"
while executing
"proc_msgshowallinfo {nick uhost hand rest} {
global nick nickpass realname owner kops my-ip banner cycle_random
global notc notm logstore cfgfile ban-..."
(file "scripts/ary.tcl" line 679)
invoked from within
"source scripts/ary.tcl"
[21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
[21:20] 3

Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
support by Akke


----
For the record, I've checked all background process killers in WHM, checked "prevent nobody from sending emails...", enabled open_basedir, enabled mod_userdir, disabled compilers tweak, enabled suexec. What else can I do here to stop whatever this nonsense is?

 

[StevenC]

Well it looks like you were exploited.

cd /usr/local/apache/domlogs
grep wget *

 

[chadi]

What exactly should I do?

 

[AbeFroman]

Type
uname -r
netstat -lntp

Paste the results here.

Also, download, install, and run RootKit Hunter.

It looks like you have a RootKit installed. Make sure you have a backup of everything. You may have to reinstall the OS but you can probably save it.

You can email me directly at [email protected] for help.

 

[chadi]

Results:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN
1927/portsentry
tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN
10554/cpsrvd - wait
tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:2084 0.0.0.0:* LISTEN
10368/entropychat
tcp 0 0 0.0.0.0:6693 0.0.0.0:* LISTEN
1787/sendmail: acce
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN
10554/cpsrvd - wait
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN
10366/startmelange
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
1515/mysqld
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
10351/cppop - accep
tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN
10554/cpsrvd - wait
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
29869/spamd -d
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
1927/portsentry
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
1222/xinetd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
27207/httpd
tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
29813/exim
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
1231/vsftpd
tcp 0 0 69.9.174.2:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.15:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.14:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.13:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.12:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.11:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.10:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.9:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.8:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1209/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
29808/exim
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
1188/named
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
27207/httpd

 

[chadi]

RootKit Hunter results:

Rootkit Hunter 1.1.1 is running

Determining OS... Ready


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Info: prelinked files found
Performing 'known good' check...
/usr/bin/find [ OK ]
/usr/bin/file [ OK ]
/usr/sbin/prelink: "/usr/bin/groups" is not an ELF file
/usr/bin/groups [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/env [ OK ]
/bin/ls [ OK ]
/bin/su [ OK ]
/bin/ps [ OK ]
/bin/dmesg [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/sbin/init [ OK ]
/sbin/runlevel [ OK ]

* Suspicious files and malware
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]

[Press <ENTER> to continue]


* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Clean ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]


Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]

System checks
* Allround tests
Checking hostname... Found. Hostname is host.nibuhadns.com
Checking for differences in user accounts... [ NA ]
Checking for differences in user groups... Creating file It seems this is your first time.
Checking rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
.............
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]

[Press <ENTER> to continue]



Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

* Check: Events and Logging
Search for syslog configuration... found
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


---------------------------- Scan results ----------------------------

MD5
MD5 compared: 41
Incorrect MD5 checksums: 0

File scan
Scanned files: 309
Possible infected files: 0
Possible rootkits:

Scanning took 44 seconds

 

[AbeFroman]

Thanks, now do
uname -r

You can get rootkit hunter here:
http://www.rootkit.nl/projects/rootkit_hunter.html

It looks like they have eggdrop or something running on port 6693 claiming to be send mail
tcp 0 0 0.0.0.0:6693 0.0.0.0:* LISTEN
1787/sendmail: acce

PLease type
cat /proc/1787/cmdline
cat /proc/1787/environ

paste out put here.

 

[chadi]

As you can see on my previous post, I have already installed and ran rootkit hunter.

2.6.8-1.521smp

[email protected] [~]# cat /proc/1787/cmdline
sendmail: accepting connections

[email protected] [~]# cat /proc/1787/environ
SHELL=/bin/shPATH=/usr/bin:/bin_=./procPWD=/home/gvllweb/public_html/images/language/.psySHLVL=3HOME=/[email protected] [~]#

 

[AbeFroman]

kill -9 1787
kill -9 1787
yes, twice, it should say "no process killed" the second time

suspend this account immediately gvllweb
he is running vulnerable scripts.

La'shana Tova!

Glad I could help,
Sincerely,
Abe Froman
Security Expert
"I'm game for security"

 

[StevenC]

AbeFroman You are not a security expert and you will never be one. For example:

http://forums.cpanel.net/showthread.php?t=29492&highlight=AbeFroman
umm you should def know that one.

http://forums.cpanel.net/showthread.php?t=29495&highlight=AbeFroman
umm you were hacked and you were asking for help? Wow people become pros fast...only took you 11 days.


Enough said.

 

[AbeFroman]

Well it looks like you were exploited.

cd /usr/local/apache/domlogs
grep wget *

This response was not great.

Sinerely,
Abe Froman
Security Expert
"I'm game for security"

 

[chadi]

Well, the problem still persists. Anyone know what could be the problem?

 

[StevenC]

This response was really great, I bet he's glad you were around.

Sinerely,
Abe Froman
Security Expert
"I'm game for security"

It will tell him what script was exploited if he was exploited by a php script. Besides you tried to feed him some garbage when you know nothing about security execpt a few bits of info people have given you. It also appears you ignored my post. You cannot be become a security expert in 11 days. Also in order for you to be come a security expert you must be an expert in linux:

http://forums.cpanel.net/showthread.php?t=29895
Doesnt appear you are a expert....that is general linux knowledge.

 

[AbeFroman]

Well, the problem still persists. Anyone know what could be the problem?

Try netstat again, is that port open again?

 

[AbeFroman]

It will tell him what script was exploited if he was exploited

Not if it was exploited using anything other than wget, nor if it was exploit before the logs were rotated.

 

[chadi]

What am I supposed to be looking for exactly? I ran netstats and it showed about 100+ lines of info, some "timed wait" and others "established".

WHat should I show you?

 

[StevenC]

Not if it was exploited using anything other than wget

grep lynx *
grep rcp *
grep scp *
grep eggdrop *
grep fetch *
grep curl *
grep "/tmp" *



Happy now?

 

[chadi]

Results:

[email protected] [~]# grep lynx *
install.log:lynx-2.8.5-15.i386.rpm

[email protected] [~]# grep rcp *
[email protected] [~]#

[email protected] [~]# grep scp *
[email protected] [~]#

[email protected] [~]# grep eggdrop *
[email protected] [~]#

[email protected] [~]# grep fetch *
install.log:Installing fetchmail-6.2.5-2.i386.
[email protected] [~]#

[email protected] [~]# grep curl *
install.log:Installing curl-7.11.1-1.i386.
install.log:Installing curl-devel-7.11.1-1.i386.
[email protected] [~]#

[email protected] [~]# grep "/tmp" *
install:$opt{directory} = "/tmp/sis-packages";
install: (defaults to '/tmp/sis-packages')
[email protected] [~]#

 

[WestBend]

I am not a security expert.. However i have used eggdrops for years.

The eggdrop is not loading up so it is sending an email saying it could not load its config file in which case it dies. When it does load it is attempting to open port 9999 for remote telnet connections by user.


Here are some of the files an eggie normally uses, try searching for them specifically:

autobotchk
*.user
*.chan
pid.botname
assoc.so
console.so
server.so
uptime.so
blowfish.so
ctcp.so
irc.so
share.so
wire.so
channels.so
dns.so
notes.so
stats.so
woobie.so
compress.so
filesys.so
seen.so
transfer.so

directories :

filesys
modules



One last quick question...

Where are the emails coming from? Are they actually coming from your server or has someone put your email address in their config file in which case all your doing is getting notices.... but nothing has been installed on your server. It would be a little strange to root someones box and then have any error emails sent to the email addresses on the rooted box..

 

[chadi]

Thank you for your response but what exactly should I do with the files now?

I basically want to end the notifications and just whatever cronjobs related.