-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jan 10, 2007 at 10:01:46AM -0800, Andrew Sackville-West wrote: > On Wed, Jan 10, 2007 at 11:53:42AM -0600, Fran wrote: > > I've been told by my ISP that my sarge webserver (only port 80 open, all > > software up to date) is spewing traffic they're calling IRC_nick, which > > is apparantly some sort of IRC bot. > > > > I'm unable to locate the file/files that are infected. Additionally, I > > can't see the process/processes for the bot when it's running. > > > > chkproc -v does reveal some hidden procs, but before I can kill them, > > they seem to go away. > > > > chkrootkit/rkhunter don't seem to see anything either. > > > > Any other suggestions? > > if you rooted, take the box down, take it off the net, reboot with a > live-cd and run chkrootkit from there. Probably though, you're stuck > rebuilding the box from scratch -- as in nuke it from orbit. > > A Also, root kits usually replace top, ps, ls and other things to make it harder to find them. Maybe find a recent copy of these and reinstall these by hand to see if that shows anything. You can also install a firewall if you dont have one like shorewall and maybe get something to log your web traffic. Cheers, Kev - -- | .''`. == Debian GNU/Linux == | my web site: | | : :' : The Universal | 'under construction' | | `. `' Operating System | go to counter.li.org and | | `- http://www.debian.org/ | be counted! #238656 | | my keysever: subkeys.pgp.net | my NPO: cfsg.org | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFpTowv8UcC1qRZVMRAnNqAJwNjpVhe8Tn7L8zT+cxhJBHgNGTJQCfSP68 hz32ONB8J5raj68zpIHpbmA= =Z5zl -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
