System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

System Communicating with an IRC Server

 
Andrew Kaplan
Super Advisor

System Communicating with an IRC Server

Hi there --

Our network security team contacted and informed me that one of our systems, Fedora Core 5, is communicating with an IRC server outside our network. The group has threatened to cut the system in question off the network. The system supposedly has an IRCbot running on the it.

I rebooted the server to reset the connection that it had, and I was planning on turning off all unnecessary services on the server. Besides the above, are there tools that I can use to prevent this from happening in the future? Thanks.
A Journey In The Quest Of Knowledge
4 REPLIES
Stuart Browne
Honored Contributor

Re: System Communicating with an IRC Server

Start by setting the firewall to block all external traffic, and ensuring user security (passwords etc.).

It sounds like you've been root-kit'd.

So use 'rpm -Va' to verify that none of the binaries have been replaced, use 'netstat -ntlp', 'ps', and the contents of '/proc' to ensure you don't have any hidden processes.
One long-haired git at your service...
sshakthi
Advisor

Re: System Communicating with an IRC Server

block this ports using tcp warpers or iptables.

194/tcp/udp
529/tcp/udp
skt_skt
Honored Contributor

Re: System Communicating with an IRC Server

you may make use of nmap to veiry the port status.

example
nmap -v -p 194 xx.xx.xx.xx
larstr
Advisor

Re: System Communicating with an IRC Server

I would block the access for this server to/from internet until things had been resolved.

If this server has been root'ed you might not find anything using normal tools, and you might need to use [url=http://www.sleuthkit.org/]SleuthKit[/url] and [url=http://liveview.sourceforge.net/]LiveView[/url] to track down the culprits.

You should also check the firewall logs for any unusual traffic to/from this host, and after you've put the system back up on the network again you should setup tcpdump to log such activity.

Lars