major problem with eggdrop / crontab maybe

chadi · Sep 25, 2004

I am not sure what this is here but I've been getting these emails constantly, about 3-4 every ten minutes. Copies of the emails are below:

Couldn't find bot 'Fandy' running, reloading...

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19746
[21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
[21:20] Module loaded: transfer
[21:20] Listening at telnet port 9999 (users)
[21:20] Module loaded: channels
[21:20] Module loaded: server
[21:20] Module loaded: ctcp
[21:20] Module loaded: irc
[21:20] Module loaded: share
[21:20] Module loaded: filesys (with lang support)
[21:20] Module loaded: notes (with lang support)
[21:20] Module loaded: console (with lang support)
[21:20] Module loaded: blowfish
[21:20] Module loaded: assoc (with lang support)
[21:20] Module loaded: wire (with lang support)
[21:20] Tcl error in file 'a':
[21:20] invalid command name "proc_msgshowallinfo"
while executing
"proc_msgshowallinfo {nick uhost hand rest} {
global nick nickpass realname owner kops my-ip banner cycle_random
global notc notm logstore cfgfile ban-..."
(file "scripts/ary.tcl" line 679)
invoked from within
"source scripts/ary.tcl"
[21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
[21:20] 3
[21:20] Attempt to kill un-allocated socket 3 !!

Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
support by Akke

Couldn't find bot 'psfonts' running, reloading...

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19754
[21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
[21:20] Module loaded: transfer
[21:20] Listening at telnet port 9999 (users)
[21:20] Module loaded: channels
[21:20] Module loaded: server
[21:20] Module loaded: ctcp
[21:20] Module loaded: irc
[21:20] Module loaded: share
[21:20] Module loaded: filesys (with lang support)
[21:20] Module loaded: notes (with lang support)
[21:20] Module loaded: console (with lang support)
[21:20] Module loaded: blowfish
[21:20] Module loaded: assoc (with lang support)
[21:20] Module loaded: wire (with lang support)
[21:20] Tcl error in file 'b':
[21:20] invalid command name "proc_msgshowallinfo"
while executing
"proc_msgshowallinfo {nick uhost hand rest} {
global nick nickpass realname owner kops my-ip banner cycle_random
global notc notm logstore cfgfile ban-..."
(file "scripts/ary.tcl" line 679)
invoked from within
"source scripts/ary.tcl"
[21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
[21:20] 3
[21:20] Attempt to kill un-allocated socket 3 !!

Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
support by Akke

Couldn't find bot 'D00r' running, reloading...

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 19751
[21:20] --- Loading eggdrop v1.6.1+IPv6-Akke (Sat Sep 25 2004)
[21:20] Module loaded: transfer
[21:20] Listening at telnet port 9999 (users)
[21:20] Module loaded: channels
[21:20] Module loaded: server
[21:20] Module loaded: ctcp
[21:20] Module loaded: irc
[21:20] Module loaded: share
[21:20] Module loaded: filesys (with lang support)
[21:20] Module loaded: notes (with lang support)
[21:20] Module loaded: console (with lang support)
[21:20] Module loaded: blowfish
[21:20] Module loaded: assoc (with lang support)
[21:20] Module loaded: wire (with lang support)
[21:20] Tcl error in file 'c':
[21:20] invalid command name "proc_msgshowallinfo"
while executing
"proc_msgshowallinfo {nick uhost hand rest} {
global nick nickpass realname owner kops my-ip banner cycle_random
global notc notm logstore cfgfile ban-..."
(file "scripts/ary.tcl" line 679)
invoked from within
"source scripts/ary.tcl"
[21:20] * CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
[21:20] 3

Eggdrop v1.6.1+IPv6-Akke (c)1997 Robey Pointer (c)1999, 2000 Eggheads, IPv6
support by Akke

----
For the record, I've checked all background process killers in WHM, checked "prevent nobody from sending emails...", enabled open_basedir, enabled mod_userdir, disabled compilers tweak, enabled suexec. What else can I do here to stop whatever this nonsense is?

StevenC · Sep 25, 2004

Well it looks like you were exploited.

cd /usr/local/apache/domlogs
grep wget *

chadi · Sep 25, 2004

What exactly should I do?

AbeFroman · Sep 25, 2004

Type
uname -r
netstat -lntp

Paste the results here.

Also, download, install, and run RootKit Hunter.

It looks like you have a RootKit installed. Make sure you have a backup of everything. You may have to reinstall the OS but you can probably save it.

You can email me directly at abe__froman@hotmail.com for help.

chadi · Sep 25, 2004

Results:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN
1927/portsentry
tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN
10554/cpsrvd - wait
tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:2084 0.0.0.0:* LISTEN
10368/entropychat
tcp 0 0 0.0.0.0:6693 0.0.0.0:* LISTEN
1787/sendmail: acce
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN
10554/cpsrvd - wait
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN
10366/startmelange
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
1515/mysqld
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
10351/cppop - accep
tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN
10554/cpsrvd - wait
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
29869/spamd -d
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
1927/portsentry
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
1222/xinetd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
27207/httpd
tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN
10575/stunnel-4.04l
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
29813/exim
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
1231/vsftpd
tcp 0 0 69.9.174.2:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.15:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.14:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.13:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.12:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.11:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.10:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.9:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 69.9.174.8:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
1188/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1209/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
29808/exim
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
1188/named
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
27207/httpd

chadi · Sep 25, 2004

RootKit Hunter results:

Rootkit Hunter 1.1.1 is running

Determining OS... Ready

Checking binaries
* Selftests
Strings (command) [ OK ]

* System tools
Info: prelinked files found
Performing 'known good' check...
/usr/bin/find [ OK ]
/usr/bin/file [ OK ]
/usr/sbin/prelink: "/usr/bin/groups" is not an ELF file
/usr/bin/groups [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/env [ OK ]
/bin/ls [ OK ]
/bin/su [ OK ]
/bin/ps [ OK ]
/bin/dmesg [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/sbin/init [ OK ]
/sbin/runlevel [ OK ]

* Suspicious files and malware
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]

[Press <ENTER> to continue]

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Clean ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]

Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]

System checks
* Allround tests
Checking hostname... Found. Hostname is host.nibuhadns.com
Checking for differences in user accounts... [ NA ]
Checking for differences in user groups... Creating file It seems this is your first time.
Checking rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
.............
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]

[Press <ENTER> to continue]

Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

* Check: Events and Logging
Search for syslog configuration... found
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 41
Incorrect MD5 checksums: 0

File scan
Scanned files: 309
Possible infected files: 0
Possible rootkits:

Scanning took 44 seconds

AbeFroman · Sep 25, 2004

Thanks, now do
uname -r

You can get rootkit hunter here:
http://www.rootkit.nl/projects/rootkit_hunter.html

It looks like they have eggdrop or something running on port 6693 claiming to be send mail
tcp 0 0 0.0.0.0:6693 0.0.0.0:* LISTEN
1787/sendmail: acce

PLease type
cat /proc/1787/cmdline
cat /proc/1787/environ

paste out put here.

chadi · Sep 25, 2004

As you can see on my previous post, I have already installed and ran rootkit hunter.

2.6.8-1.521smp

root@host [~]# cat /proc/1787/cmdline
sendmail: accepting connections

root@host [~]# cat /proc/1787/environ
SHELL=/bin/shPATH=/usr/bin:/bin_=./procPWD=/home/gvllweb/public_html/images/language/.psySHLVL=3HOME=/LOGNAME=nobodyroot@host [~]#

AbeFroman · Sep 25, 2004

kill -9 1787
kill -9 1787
yes, twice, it should say "no process killed" the second time

suspend this account immediately gvllweb
he is running vulnerable scripts.

La'shana Tova!

Glad I could help,
Sincerely,
Abe Froman
Security Expert
"I'm game for security"

StevenC · Sep 25, 2004

AbeFroman You are not a security expert and you will never be one. For example:

http://forums.cpanel.net/showthread.php?t=29492&highlight=AbeFroman
umm you should def know that one.

http://forums.cpanel.net/showthread.php?t=29495&highlight=AbeFroman
umm you were hacked and you were asking for help? Wow people become pros fast...only took you 11 days.

Enough said.

AbeFroman · Sep 26, 2004

TheLinuxGuy said:

Well it looks like you were exploited.

cd /usr/local/apache/domlogs
grep wget *
Click to expand...

This response was not great.

Sinerely,
Abe Froman
Security Expert
"I'm game for security"

chadi · Sep 26, 2004

Well, the problem still persists. Anyone know what could be the problem?

StevenC · Sep 26, 2004

AbeFroman said:

This response was really great, I bet he's glad you were around.

Sinerely,
Abe Froman
Security Expert
"I'm game for security"
Click to expand...

It will tell him what script was exploited if he was exploited by a php script. Besides you tried to feed him some garbage when you know nothing about security execpt a few bits of info people have given you. It also appears you ignored my post. You cannot be become a security expert in 11 days. Also in order for you to be come a security expert you must be an expert in linux:

http://forums.cpanel.net/showthread.php?t=29895
Doesnt appear you are a expert....that is general linux knowledge.

AbeFroman · Sep 26, 2004

chadi said:

Well, the problem still persists. Anyone know what could be the problem?
Click to expand...

Try netstat again, is that port open again?

AbeFroman · Sep 26, 2004

TheLinuxGuy said:

It will tell him what script was exploited if he was exploited
Click to expand...

Not if it was exploited using anything other than wget, nor if it was exploit before the logs were rotated.

chadi · Sep 26, 2004

What am I supposed to be looking for exactly? I ran netstats and it showed about 100+ lines of info, some "timed wait" and others "established".

WHat should I show you?

StevenC · Sep 26, 2004

AbeFroman said:

Not if it was exploited using anything other than wget
Click to expand...

grep lynx *
grep rcp *
grep scp *
grep eggdrop *
grep fetch *
grep curl *
grep "/tmp" *

Happy now?

chadi · Sep 26, 2004

Results:

root@host [~]# grep lynx *
install.log:lynx-2.8.5-15.i386.rpm

root@host [~]# grep rcp *
root@host [~]#

root@host [~]# grep scp *
root@host [~]#

root@host [~]# grep eggdrop *
root@host [~]#

root@host [~]# grep fetch *
install.log:Installing fetchmail-6.2.5-2.i386.
root@host [~]#

root@host [~]# grep curl *
install.log:Installing curl-7.11.1-1.i386.
install.log:Installing curl-devel-7.11.1-1.i386.
root@host [~]#

root@host [~]# grep "/tmp" *
install:$opt{directory} = "/tmp/sis-packages";
install: (defaults to '/tmp/sis-packages')
root@host [~]#

WestBend · Sep 26, 2004

I am not a security expert.. However i have used eggdrops for years.

The eggdrop is not loading up so it is sending an email saying it could not load its config file in which case it dies. When it does load it is attempting to open port 9999 for remote telnet connections by user.

Here are some of the files an eggie normally uses, try searching for them specifically:

autobotchk
*.user
*.chan
pid.botname
assoc.so
console.so
server.so
uptime.so
blowfish.so
ctcp.so
irc.so
share.so
wire.so
channels.so
dns.so
notes.so
stats.so
woobie.so
compress.so
filesys.so
seen.so
transfer.so

directories :

filesys
modules

One last quick question...

Where are the emails coming from? Are they actually coming from your server or has someone put your email address in their config file in which case all your doing is getting notices.... but nothing has been installed on your server. It would be a little strange to root someones box and then have any error emails sent to the email addresses on the rooted box..

chadi · Sep 26, 2004

Thank you for your response but what exactly should I do with the files now?

I basically want to end the notifications and just whatever cronjobs related.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

major problem with eggdrop / crontab maybe

chadi BANNED

StevenC Well-Known Member

chadi BANNED

AbeFroman BANNED

chadi BANNED

chadi BANNED

AbeFroman BANNED

chadi BANNED

AbeFroman BANNED

StevenC Well-Known Member

AbeFroman BANNED

chadi BANNED

StevenC Well-Known Member

AbeFroman BANNED

AbeFroman BANNED

chadi BANNED

StevenC Well-Known Member

chadi BANNED

WestBend Well-Known Member

chadi BANNED

Major Issues with Email

Busco experto en Linux y CPanel para solucionar problemas en VPS

Error documents problem

Problem with links in HTML Addon domain

Removing Plugin From WebHost Manager Problem

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

major problem with eggdrop / crontab maybe

chadi BANNED

StevenC Well-Known Member

chadi BANNED

AbeFroman BANNED

chadi BANNED

chadi BANNED

AbeFroman BANNED

chadi BANNED

AbeFroman BANNED

StevenC Well-Known Member

AbeFroman BANNED

chadi BANNED

StevenC Well-Known Member

AbeFroman BANNED

AbeFroman BANNED

chadi BANNED

StevenC Well-Known Member

chadi BANNED

WestBend Well-Known Member

chadi BANNED

Major Issues with Email

Busco experto en Linux y CPanel para solucionar problemas en VPS

Error documents problem

Problem with links in HTML Addon domain

Removing Plugin From WebHost Manager Problem

Share This Page