Server Broken in To... help?

[Nautic]

Hi Guys,

A question, one of our DA servers has been broken in to. I have chkrootkit installed etc and nothing there is compromised or changed. There's only a couple that have shell access to the server for their accounts, and there's no new users that have been created on the server since the breach.

They have managed to run IRC services on the server, netstat output shows a heap of these types of entries:
tcp 0 1 IP ADDRESS:47761 undernet.xs4all.nl:ircd SYN_SENT

I can't locate where they have installed the software, and I can't work out how they gained access as everything looks fairly normal and unchanged. Any help appreciated. They seem to have installed it as a bot.

Regards,

Joel

 

[tillo]

Indeed, it seems like a worm which is part of a botnet.

Usually this kind of worm also contain trojan functionalities and their owners try to gain privileged access in order to exploit more from the machines (read confidential data, send forged network packets etc), therefore unless it's a perfectly updated system I suggest to reinstall it completely after saving an image of the disk for further investigations.

Often they appear in the form of an interpreted script loaded through a web application vulnerability: check that all of your web software is updated or patched and apply at least basic security measures (mod_security2, suhosin, noexec/nosuid/nodev temporary partitions, PHP disable_functions, PHP-CGI instead of mod_php etc) as described in many threads here.

If you need professional help contact me or some other experienced consultant from this forum for a quote.