Page 2 of 2
Re: Finding IRC Bots
Posted: Wed Oct 09, 2013 6:53 pm
by KrazyBob
It is getting on the server before it is being stuffed into a cron. It was mentioned that it could be coming in through the file manager. Does ASL stop it there as well?
Re: Finding IRC Bots
Posted: Thu Oct 10, 2013 2:25 am
by KrazyBob
Where is the actual user cron file located? Although I got the files they are in cron. I can manually use the GUI but its slow.
Re: Finding IRC Bots
Posted: Thu Oct 10, 2013 9:31 am
by scott
If you ran a T-WAF in front of plesk, yeah that would scan for uploads and/or prevent the vulnerability from being exploited. However the MO for that particular exploit is that they would also use it to create accounts, and dump the existing user/password list off the box in addition to everything else. So its likely that your attacker(s) also have all the account info off the system, using that they could ftp or ssh into the system directly.
cron jobs live in /var/spool/cron
Re: Finding IRC Bots
Posted: Thu Oct 10, 2013 11:49 am
by KrazyBob
Here's how to locate the PIDs and kill them. But it doesn't help me locate the actual files:
Code: Select all
PIDLIST=$(\ps --no-headers -C perl -o pid; \lsof -Pwlni|egrep "TCP.*->.*:(666[0-9])"|awk '{print $2}');
kill -9 $PIDLIST;
Thanks, Scott. I knew I knew where the darn crons lived. LOL. One gets tired and the brains are the first to go. Actually, my wife was the first to go but I digress.