Kevin Mark <[EMAIL PROTECTED]> wrote: > On Wed, Jan 10, 2007 at 10:01:46AM -0800, Andrew Sackville-West wrote: > > On Wed, Jan 10, 2007 at 11:53:42AM -0600, Fran wrote: > > > I've been told by my ISP that my sarge webserver (only port 80 open, all > > > software up to date) is spewing traffic they're calling IRC_nick, which > > > is apparantly some sort of IRC bot. > > > > > > I'm unable to locate the file/files that are infected. Additionally, I > > > can't see the process/processes for the bot when it's running. > > > > > > chkproc -v does reveal some hidden procs, but before I can kill them, > > > they seem to go away. > > > > > > chkrootkit/rkhunter don't seem to see anything either. > > > > > > Any other suggestions?
Another thing to consider: it's possible your box hasn't been hacked to the point of a shell. Do you have mod_proxy enabled in your apache config? Somebody could be bouncing their bot off of that. I'd still reformat etc just to be sure but it's worth looking into anyways. Also, you have to consider how they got in, if port 80 is the only port that's open... I'd do a serious security audit of any dynamic (PHP etc) content you serve from there. - Tyler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]