The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is iroffer1.2b22.tgz?

Discussion in 'General Discussion' started by SuperBaby, Jan 19, 2005.

  1. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I found this in the /tmp folder. I do not know what iroffer is but it seems that it is something related to IRC (see www.iroffer.org). Am I hacked?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    At the least, it means that you have a vulnerable PHP script on your server. Do you have mod_security installed with a good set of filters that include the latest which take into account the phpBB and santy worm? If not, I'd suggest you do a search and look for them.
     
  3. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Thanks.

    I wanted to install mod_security a few months ago. But the instruction that I found wasn't very clear. I will try to search again. BTW, do you know where I can find a good instruction?
     
  4. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    yes exploited at the least.. iroffer is an IRC file serving bot and well if allowed to run, eat up your bandwidth.. kill and remove it, then do the mod_security as stated above.
     
  5. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I found a post which teaches you have to install mod_security manually. I also see it under WHM >> Addon >> modsecurity. Which one should I use?

    Do I have to configure anything if I use the one under WHM? I guess it is not as simple as checking the checkbox and click Save.

    I also noticed that there are some posts mentioning that mod_security gives troubles when executed. What are the things that I should test to see if it adversely affects my server/accounts?
     
  6. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    heres what we use in ours and it seems to be working fine with minimal or no impact on our clients:

    PHP:
    # WEB-ATTACKS wget command attempt
    SecFilterSelective THE_REQUEST "wget "

    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"

    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"

    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"

    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"

    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."

    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"

    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"

    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"

    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"

    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter 
    "hdr=/"

    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass

    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"

    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"

    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"

    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"

    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"

    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"

    # phpBB exploit worm attempt
    SecFilterSelective ARG_highlight %27
     
  7. silentcircuit

    silentcircuit Active Member

    Joined:
    Nov 19, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    should mod_security with the correct variables in the config prevent /tmp/ attacks? iroffer was injected into my /tmp/ directory as well, also is it just exploiting the BW, or do you think it is possible they gained access to other more sensitive areas? Thank you.
     
  8. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I have mod_security installed. I have only disabled one or two filters. It has been a week and everything seems to work perfectly.
     

Share This Page