1

I noticed last night whilst checking our active sessions list on our firewall for something else, that a server was generating outbound IRC connections.

Last night there was around 60 connections but this morning it's much less.

[root@prod12 ~]# netstat -nputw | grep 6667
tcp        0      1 10.109.131.20:44242         66.198.80.67:6667                SENT    4280/bash
tcp        0      1 10.109.131.20:46549         208.64.123.210:6667              SENT    4280/bash
tcp        0      1 10.109.131.20:35862         208.83.20.130:6667               SENT    4280/bash
[root@prod12 ~]#

There is nothing IRC related on this server intentionally. Does anyone know what virus or whatnot this looks like so that I can search online for removal?

user4499154
  • 11
  • 2

2 Answers2

2

Look at the processlist what the command-line for process 4280(seen at the rightmost of the netstat output) is. This should give you location and name of the executeable.

If you did not install or run any software using the IRC port, this is most likely a connection to a botnet master server. Those are frequently used to send control commands to servers botnet. Stop the program, remove it(or move it to a save place for forensics) and check how the attacker got in(most likely know issues in web apps, weak SSH passwords, etc.) and if there is other software or reconfiguration put in place by the attacker.

In the future, you might want to think about a more restrictive firewall for outbound connections if possible.

Izzy
  • 795
  • 2
  • 8
  • 31
0

If your server has a connection to internet it is quite likely that it has been hacked. If this is a production service you should restore a previous clean backup because you don't know if you have identified all the malware/rootkit installed in the server.

If you want search the cause of this problem you can try to follow this guide http://heylinux.com/en/?p=97

NoNoNo
  • 1,963
  • 14
  • 20