Finding IRC Bots

[KrazyBob]

It is getting on the server before it is being stuffed into a cron. It was mentioned that it could be coming in through the file manager. Does ASL stop it there as well?

[KrazyBob]

Where is the actual user cron file located? Although I got the files they are in cron. I can manually use the GUI but its slow.

[scott]

If you ran a T-WAF in front of plesk, yeah that would scan for uploads and/or prevent the vulnerability from being exploited. However the MO for that particular exploit is that they would also use it to create accounts, and dump the existing user/password list off the box in addition to everything else. So its likely that your attacker(s) also have all the account info off the system, using that they could ftp or ssh into the system directly.

cron jobs live in /var/spool/cron

[KrazyBob]

Here's how to locate the PIDs and kill them. But it doesn't help me locate the actual files:

Code: Select all

PIDLIST=$(\ps --no-headers -C perl -o pid; \lsof -Pwlni|egrep "TCP.*->.*:(666[0-9])"|awk '{print $2}');
kill -9 $PIDLIST;

Thanks, Scott. I knew I knew where the darn crons lived. LOL. One gets tired and the brains are the first to go. Actually, my wife was the first to go but I digress.