Finding IRC Bots
Re: Finding IRC Bots
It is getting on the server before it is being stuffed into a cron. It was mentioned that it could be coming in through the file manager. Does ASL stop it there as well?
Re: Finding IRC Bots
Where is the actual user cron file located? Although I got the files they are in cron. I can manually use the GUI but its slow.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Finding IRC Bots
If you ran a T-WAF in front of plesk, yeah that would scan for uploads and/or prevent the vulnerability from being exploited. However the MO for that particular exploit is that they would also use it to create accounts, and dump the existing user/password list off the box in addition to everything else. So its likely that your attacker(s) also have all the account info off the system, using that they could ftp or ssh into the system directly.
cron jobs live in /var/spool/cron
cron jobs live in /var/spool/cron
Re: Finding IRC Bots
Here's how to locate the PIDs and kill them. But it doesn't help me locate the actual files:
Thanks, Scott. I knew I knew where the darn crons lived. LOL. One gets tired and the brains are the first to go. Actually, my wife was the first to go but I digress.
Code: Select all
PIDLIST=$(\ps --no-headers -C perl -o pid; \lsof -Pwlni|egrep "TCP.*->.*:(666[0-9])"|awk '{print $2}');
kill -9 $PIDLIST;