Login to your server with SSH and follow these steps:
1) Find the rogue IRC daemon process
Type:
Code:
ps aux | grep [i]rcd
This gives you a list of running IRC daemons, if any. If it returns blank, skip to step 3.
2) Kill the rogue IRC daemon process
In the list from step 1, you may see output similar (but not exactly) to this:
Code:
root 14569 0.0 0.0 5280 996 ? S Mar18 0:00 /tmp/linux/src/ircd
The number in the 2nd column is what we need (You may notice that this corresponds with the "Pid" in the e-mail OVH has provided you).
Now kill that process with this command (using that number from the 2nd column):
If you have more than one listed with the earlier command, you should repeat this for each one of them.
3) Wipe /tmp clean
Issue this command:
It should delete every single directory and file from /tmp/, which you can verify with:
Some running processes may quickly re-create files in that directory, but in your case, it's important that the /tmp/linux/* directory is gone.
4) Prevention
At this point the bot should be gone, but something on your system allowed the bot to be placed there. Given its location, it could possibly be a security flaw in, say, a web application (an old version of WordPress or Joomla, to cite an example). You need to make sure everything is up to date.
It's also in your best interest to change the passwords on your system. Not just for your SSH login, but also those for, say, MySQL database, etc.
You should also secure your
/tmp directory. Its a directory used (and required) by many applications to store temporary files. However, not one application should be allowed to execute a file from there (be that a script or another application). You can change this, and at the same time speed up your server a bit, by implementing "tmpfs" like so:
Make a copy of your
/etc/fstab file like so:
Code:
cp /etc/fstab /etc/fstab.old
Edit the file
/etc/fstab (ie, "nano /etc/fstab"). If you have a line where in the
second column it shows
/tmp, then you need to edit it as following. If you do not have any such line, then you need to add it as following:
Code:
tmpfs /tmp tmpfs noatime,nodev,noexec,nosuid,rw 0 0
Do not modify any other line!
Save the file (in nano, it' CTRL+X and answer "Y") and issue this command:
If all went well, your
/tmp directory will now be of type "tmpfs". You can verify this with:
Which should show:
Code:
... (other mounts) ...
tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev,noatime)
What happens now is any file in
/tmp is actually saved in RAM (this is where your speed increase comes). So on each boot, it is completely clean and safe from potentially harmful files. In addition, there are a few additional parameters (noexec,nosuid,nodev,noatime) which prevent any files in that directory from being executed, turned into a device, etc., etc. In other words, should a security problem allow a hacker to upload an executable file here (like the IRC daemon), he can't run it.
Hopefully this will help you.