David Kirchner wrote: > On 11/16/05, Mark Kane <[EMAIL PROTECTED]> wrote: > >>I also see a psyBNC server listening on port 7978: >> >>server# sockstat -l4 | grep psybnc >>USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS >>wicked6 psybnc 15819 3 tcp4 *:7978 *:* >> >>Funny thing is there is no process by wicked6 (or by anyone currently) >>called "psybnc". I can connect to an IP on that server on port 7978 and >>get a psyBNC though. I've checked for other processes by wicked6, nothing. > > > It's very common for them to overwrite argv[0], or use setproctitle > stuff to hide the real name of the program. Some programs don't read > that -- sockstat and top are two that don't read the modified program > name. > > >>It's trying to make a connection on 6667 to that IP as I said: >> >>server1# netstat -n | grep 6667 >>tcp4 0 0 xx.xx.xx.xx.64243 195.197.175.21.6667 SYN_SENT > > > netstat -aAn (specifically, the -A) instructs netstat to prepend each > line with the memory address of the network connection. If you run > that you'll see something like: > > f0d710c0 tcp4 0 0 xxx.xxx.xxx.xxx.29 211.119.136.240.66 > ESTABLISHED > > (sometimes, the port numbers get truncated, so you may have to grep > for the destination IP instead of the port number.) > > You can take that address and run fstat | grep address: > > $ fstat | grep f0d710c0 > www iroffer 19133 3* internet stream tcp f0d710c0 > > In this specific case, it's an iroffer program run from some PHP > backdoor someone installed on the server (see > http://malformed.org/2005/11/15/zend-encoder-bad-for-the-internet/ for > a description of the present/near-future of these PHP backdoors). In > your case it may be that you're running suexec or suPHP, or it may not > have been started from the web at all. If that's the case, you may be > able to find out what else is going on by ensuring /proc is mounted > and then run: ps -uxwwep pid: > > ps -uxwwep 19133 > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > www 19133 0.0 0.0 1244 424 ?? S 22Oct05 12:52.03 ... > DOC_ROOT=/usr/home/user/websites/domain.com ... > > You may also see SCRIPT_FILENAME or PWD or other environment variables > that may give you hints as to where this was started from. > > There are some other programs that'll do all this for you, I think > 'lsof' is one. I dunno. I prefer to use base system utilities. But to > each their own. > > Of course, if the listening process isn't showing up at all, but you > can still connect to the port, then you may have some sort of hacked > kld loaded or hacked ps, in which case the attacker has root, which is > a far more serious situation.
Okay well I looked around some more now and found it. It was in /var/tmp/.packlist.0928456/ and it was showing up as "[psybnc]" (wasn't there before). A kill -9 got rid of it. I'm now grepping to try to find out what may have created that or launched it. Thanks -Mark -- GnuPG Public Key: http://www.mkproductions.org/mk_pubkey.asc Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
signature.asc
Description: OpenPGP digital signature
