https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042011#M29441 block this ports using tcp warpers or iptables. <BR /><BR />194/tcp/udp<BR />529/tcp/udp Mon, 23 Jul 2007 23:08:08 GMT sshakthi 2007-07-23T23:08:08Z https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042009#M29439 Hi there --<BR /><BR />Our network security team contacted and informed me that one of our systems, Fedora Core 5, is communicating with an IRC server outside our network. The group has threatened to cut the system in question off the network. The system supposedly has an IRCbot running on the it. <BR /><BR />I rebooted the server to reset the connection that it had, and I was planning on turning off all unnecessary services on the server. Besides the above, are there tools that I can use to prevent this from happening in the future? Thanks. Mon, 23 Jul 2007 10:07:41 GMT https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042009#M29439 Andrew Kaplan 2007-07-23T10:07:41Z https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042010#M29440 Start by setting the firewall to block all external traffic, and ensuring user security (passwords etc.).<BR /><BR />It sounds like you've been root-kit'd.<BR /><BR />So use 'rpm -Va' to verify that none of the binaries have been replaced, use 'netstat -ntlp', 'ps', and the contents of '/proc' to ensure you don't have any hidden processes. Mon, 23 Jul 2007 15:47:06 GMT https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042010#M29440 Stuart Browne 2007-07-23T15:47:06Z https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042011#M29441 block this ports using tcp warpers or iptables. <BR /><BR />194/tcp/udp<BR />529/tcp/udp Mon, 23 Jul 2007 23:08:08 GMT https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042011#M29441 sshakthi 2007-07-23T23:08:08Z https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042012#M29442 you may make use of nmap to veiry the port status.<BR /><BR />example<BR />nmap -v -p 194 xx.xx.xx.xx Wed, 25 Jul 2007 21:01:28 GMT https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042012#M29442 skt_skt 2007-07-25T21:01:28Z https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042013#M29443 I would block the access for this server to/from internet until things had been resolved.<BR /><BR />If this server has been root'ed you might not find anything using normal tools, and you might need to use [url=<A href="http://www.sleuthkit.org/]SleuthKit[/url]" target="_blank">http://www.sleuthkit.org/]SleuthKit[/url]</A> and [url=<A href="http://liveview.sourceforge.net/]LiveView[/url]" target="_blank">http://liveview.sourceforge.net/]LiveView[/url]</A> to track down the culprits.<BR /><BR />You should also check the firewall logs for any unusual traffic to/from this host, and after you've put the system back up on the network again you should setup tcpdump to log such activity.<BR /><BR />Lars Mon, 30 Jul 2007 12:49:58 GMT https://community.hpe.com/t5/operating-system-linux/system-communicating-with-an-irc-server/m-p/4042013#M29443 larstr 2007-07-30T12:49:58Z