How can I track down IRC on the server

[cybercavern]

Running top command i found:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
9465 apache 15 0 2140 1452 856 S 0.3 0.1 12:20.62 iroffer


How can I track down where the IRC is running to get rid of it? Is there a way for me to tell which user account it is being uploaded from?

Thank You for any help

 

[chatwizrd]

iroffer is a program used for sharing files on irc servers. I suggest you firewall both input and output tcp ports 6660-7000 to block irc access.

You will want to look through the /tmp folders for files as well.

First find out where iroffer is being hosted

find / -name iroffer

Look through apache log files:

grep -i 'iroffer' /var/log/httpd/domains/*
grep -i 'wget' /var/log/httpd/domains/*
grep -i 'curl' /var/log/httpd/domains/*

More then likely it was not a program directly downloaded but more of a rootkit attempt. Finding the rootkit is what is gonna help you get it fixed so you will know exactly what commands they used. Check /tmp , /var/tmp and /home/tmp folders for suspicious scripts.

To find out what files and folders are world executable you can try something like:

find / -perm 777

 

[cybercavern]

Thank You for your help. That should help me greatly.