--On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot <mai...@bzerk.org> wrote:



On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed:
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
> Ok, here is what lsof tells me:
>
> $ sudo lsof | grep perl
> perl5.8.9  4272     www    3u    IPv4 0xc33cf000        0t0     TCP
> gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
>
> The last line would be appear to telling me something, but what?

The script is talking to 94.102.51.57 on port 7000.

At which port an IRC server is listening:

telnet 94.102.51.57 7000
Trying 94.102.51.57...
Connected to 94.102.51.57.
Escape character is '^]'.
:sampson.dangerz.biz NOTICE AUTH :*** Looking up your hostname...
:sampson.dangerz.biz NOTICE AUTH :*** Couldn't resolve your hostname; using
your IP address instead


And the IRC daemon is screaming "You have been hacked!"

You need to get someone who knows about server compromises to help you. Your server has been compromised. If you don't take action now, it will only get worse.

--
Paul Schmehl (pa...@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Reply via email to