Abe : The email going out would be from some crontab script tied to the autobotchk script (not cpanel )which checks if the bot is up and running and if not send an email etc. However before I would bother wasting anymore of my time trying to see if the box was rooted etc I would at least look at where the email is coming from (source ips etc) and if the files needed for an eggdrop are present. I am begining to think this is a case of someone putting in a goof email so it gets sent to the jesus domain etc..
autobotchk is generally specific to eggdrops however it can be called anything as its mearly a script to run the egg. The script is normally called by a crontab.
Port 6693 was in a listening state by sendmail.
grep '6693' /etc/services
check the output.
it is most likely used for X-Forwarding which is now an option in WHM.
Just google around and you can find instances of dual sendmails and listening on ports for X-Forwarding.
Also if the bot was in listening mode it would be listening on 9999 as stated by the config.
Ports 6660 - 6670 are usually used for connecting to IRC servers. Outgoing/Incoming with 6667 being the normal one.
If it was being used for XDCC which is the norm for eggies on rooted boxes then you would see a whole lot more connections coming in and out. You would also see your bandwidth going off the scale
Port 6693 was in a listening state by sendmail.
grep '6693' /etc/services
check the output.
it is most likely used for X-Forwarding which is now an option in WHM.
Just google around and you can find instances of dual sendmails and listening on ports for X-Forwarding.
Also if the bot was in listening mode it would be listening on 9999 as stated by the config.
Ports 6660 - 6670 are usually used for connecting to IRC servers. Outgoing/Incoming with 6667 being the normal one.
If it was being used for XDCC which is the norm for eggies on rooted boxes then you would see a whole lot more connections coming in and out. You would also see your bandwidth going off the scale
Last edited:
But when he check the environ for that process, it said this user, gvllweb, started it
[email protected] [~]# cat /proc/1787/environ
SHELL=/bin/shPATH=/usr/bin:/bin_=./procPWD=/home/gvllweb/public_html/images/language/.psySHLVL=3HOME=/[email protected]
/home/gvllweb/public_html/images/language/.psy
I'd say gvllweb was running eggdrop or PSYbnc.
[email protected] [~]# cat /proc/1787/environ
SHELL=/bin/shPATH=/usr/bin:/bin_=./procPWD=/home/gvllweb/public_html/images/language/.psySHLVL=3HOME=/[email protected]
/home/gvllweb/public_html/images/language/.psy
I'd say gvllweb was running eggdrop or PSYbnc.
Last edited:
Find out where your user cron jobs are stored (IIRC it's somewhere like /var/usr/cpanel/cron.d/ - but a "locate cron | more" should help find the folder) and examine the "nobody" user cron jobs. It /should/ be empty, but if the eggdrop is similiar to ones we've had, then you'll find it installed a cron entry in "nobody" (probably as the eggdrop was installed via a PHP script running under Apache which runs as 'nobody'). I ended up wiping the "nobody" cron file and then "chattr +i nobody" to ensure that IF the eggdrop tries to get on the server again via another users website, then at least it can't install the cronjob.
i dont know of any psy bot. There is a psyBNC used in conjunction with IRC.
I have googled that environ and nothing in it registers a decent hit.
Since the original poster of the question has still yet to answer the questions about source etc .. I am giving up on this thread. Perhaps the poster can go : http://www.soohrt.org/stuff/linux/suckit/ and read up a bit on how to analyse their server
I have googled that environ and nothing in it registers a decent hit.
Since the original poster of the question has still yet to answer the questions about source etc .. I am giving up on this thread. Perhaps the poster can go : http://www.soohrt.org/stuff/linux/suckit/ and read up a bit on how to analyse their server
u can create a nobody cron your self in /var/spool/cron just create a file named nobody..
You all are steering away from finding the source, all you are doing is getting rid of the eggdrop. You have to find the source and patch it otherwise other bad could come of it, such as mass deface of websites, full root compromise, etc.
You all are steering away from finding the source, all you are doing is getting rid of the eggdrop. You have to find the source and patch it otherwise other bad could come of it, such as mass deface of websites, full root compromise, etc.
Personally I don't think anybody is steering away from anything.. since all this person got is a couple of emails... there is no proof they were rooted/hacked/cross-dressed/windozed etc The thrust of my questions before i got pulled off to the side about eggdrops was...
A) where did these emails come from
B) are the eggs even on his server which would all point to.. was he rooted or should i send him a couple of Nigerian Scam emails for 20 Million$ if he pays 6500.
Looks like cpanels background process killerWestBend said:
All signs point to yes, it is on his server. I've seen this time and time again. Finding the source should be key as the logs won't stick around forever. The quicker he finds the source, the better he will be able to patch and prepare himself for future attempts.WestBend said:
As for rooted. I doubt it. Just a kiddie sploit, probably used as a drone for DDoS, etc.
Man that was a real bugger.richy said:
The file is at /var/spool/cron/nobody for anyone else looking for this.
It also helps to pico or tail /var/log/cron so you can see what user is associated with the offending annoying cron.
PS dont forget to restart cron:
/etc/init.d/crond restart
Last edited:
Eggdrop
Typically Eggdrop is installed from a insecure php script (maybe an upload control) and a cron can be setup to run as nobody.
When I see eggdrop, the first thing I do is take a glance at the crons on the server. I found one just a few minutes ago an the cron was set to run:
/home/pitotad/public_html/modules/My_eGallery/gallery/zofim/.psy/y2kupdate >/dev/null 2>&1
I then will take a look at the /etc/httpd/conf/httpd.conf file and search for the use pitotad and find out what website is being used to run eggdrop. Typically the end user knows nothing about this. They may have a phpnuke script that has an insecure module or something, but most of the time the customer knows nothing about this.
Then I remove the cron (or disable it), then type in: killall eggdrop
This will stop eggdrop.
Check for rootkits just to be safe.
If you don't have any root kits installed thank your lucky stars because it is work to move users over to a different server.
Many may disagree with me, but I run a cron that kills all processes ran under the user "Nobody". Yes, it can cause a cgi-script to goof up or a website be unavailable for a second or two, but I run the below anyway at 03:41 AM daily
ps -ef | grep -i nobody | awk '{ print $2 }' | xargs kill
This will kill all processes that are running under the user "Nobody"
The reason why I do this is if someone is running something bad, it is typically under the user "Nobody".
Also, I would like to chime in regarding a server that is infected with a root kit.
Earlier in this post users have given good programs to help check against root kits and yes if infected, backup all user content, httpd.conf, etc and scrap the server. Typically I will just setup a new cpanel server, HARDEN IT BEFORE hooking it up to the net, and move all the users over. I have NEVER had an issue of transfering the rootkit over by performing cpanel moves.
Tim Rice
Host It Now Networks
Typically Eggdrop is installed from a insecure php script (maybe an upload control) and a cron can be setup to run as nobody.
When I see eggdrop, the first thing I do is take a glance at the crons on the server. I found one just a few minutes ago an the cron was set to run:
/home/pitotad/public_html/modules/My_eGallery/gallery/zofim/.psy/y2kupdate >/dev/null 2>&1
I then will take a look at the /etc/httpd/conf/httpd.conf file and search for the use pitotad and find out what website is being used to run eggdrop. Typically the end user knows nothing about this. They may have a phpnuke script that has an insecure module or something, but most of the time the customer knows nothing about this.
Then I remove the cron (or disable it), then type in: killall eggdrop
This will stop eggdrop.
Check for rootkits just to be safe.
If you don't have any root kits installed thank your lucky stars because it is work to move users over to a different server.
Many may disagree with me, but I run a cron that kills all processes ran under the user "Nobody". Yes, it can cause a cgi-script to goof up or a website be unavailable for a second or two, but I run the below anyway at 03:41 AM daily
ps -ef | grep -i nobody | awk '{ print $2 }' | xargs kill
This will kill all processes that are running under the user "Nobody"
The reason why I do this is if someone is running something bad, it is typically under the user "Nobody".
Also, I would like to chime in regarding a server that is infected with a root kit.
Earlier in this post users have given good programs to help check against root kits and yes if infected, backup all user content, httpd.conf, etc and scrap the server. Typically I will just setup a new cpanel server, HARDEN IT BEFORE hooking it up to the net, and move all the users over. I have NEVER had an issue of transfering the rootkit over by performing cpanel moves.
Tim Rice
Host It Now Networks