OVH Community, your new community space.

HOW-TO: IRC Hacked server? Kill the rogue process


Myatu
24-06-2010, 17:39
This is a small update to securing the /tmp directory.

On Debian and Ubuntu systems, some aptitude/apt-get upgrade scripts may not be executed because of the "noexec" flag in /etc/fstab:

Code:
tmpfs /tmp tmpfs noatime,noexec,nodev,nosuid,rw  0 0
To address this issue, edit /etc/apt/apt.conf.d/50tmp-mount by adding:

Code:
DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
Since aptitude/apt-get or mounting needs elevated user rights, this still keeps the /tmp directory secure.
elvis1
21-03-2010, 20:51
Quote Originally Posted by Myatu
Thanks Sharing is caring!
clap clap clap well done as usual
Halide
21-03-2010, 18:14
OVH you want to impress us? Publicly thank people like Myatu by giving them a month free or summat. They deserve it for all the support they give, support you're unwilling to shell out for
sic
19-03-2010, 13:00
Quote Originally Posted by Myatu
Thanks Sharing is caring!
I just want to say i performed the re-install of my server as asked for by ovh.

I have now performed your suggestions. Very easy to follow and it all went well.

So once again please accept my sincere gratitude and now that i will probably pester you again in the future. :lol:
Myatu
19-03-2010, 12:14
Thanks Sharing is caring!
rickyday
19-03-2010, 10:16
Quote Originally Posted by turbanator
i want myatus post stickied now!
I want him working for OVH Tech Support @ UK/London office
sic
19-03-2010, 07:23
Quote Originally Posted by Myatu
Login to your server with SSH and follow these steps:

1) Stop the rogue IRC daemon

Type:
Code:
ps aux | grep [i]rcd
This gives you a list of running IRC daemons, if any. If it returns blank, skip to step 3.

2) Kill the rogue IRC daemon

In the list from step 1, you may see output similar (but not exactly) to this:
Code:
root      14569  0.0  0.0   5280   996 ?        S    Mar18   0:00 /tmp/linux/src/ircd
The number in the 2nd column is what we need (You may notice that this corresponds with the "Pid" in the e-mail OVH has provided you).

Now kill that process with this command (using that number from the 2nd column):
Code:
kill -9 14569
If you have more than one listed with the earlier command, you should repeat this for each one of them.

3) Wipe /tmp clean

Issue this command:
Code:
rm -r /tmp/*
It should delete every single directory and file from /tmp/, which you can verify with:
Code:
ls -la /tmp
Some running processes may quickly re-create files in that directory, but in your case, it's important that the /tmp/linux/* directory is gone.

4) Prevention

At this point the bot should be gone, but something on your system allowed the bot to be placed there. Given its location, it could possibly be a security flaw in, say, a web application (an old version of WordPress or Joomla, to cite an example). You need to make sure everything is up to date.

It's also in your best interest to change the passwords on your system. Not just for your SSH login, but also those for, say, MySQL database, etc.

You should also secure your /tmp directory. Its a directory used (and required) by many applications to store temporary files. However, not one application should be allowed to execute a file from there (be that a script or another application). You can change this, and at the same time speed up your server a bit, by implementing "tmpfs" like so:

Make a copy of your /etc/fstab file like so:
Code:
cp /etc/fstab /etc/fstab.old
Edit the file /etc/fstab (ie, "nano /etc/fstab"). If you have a line where in the second column it shows /tmp, then you need to edit it as following. If you do not have any such line, then you need to add it as following:
Code:
tmpfs           /tmp    tmpfs   noatime,nodev,noexec,nosuid,rw  0       0
Do not modify any other line!

Save the file (in nano, it' CTRL+X and answer "Y") and issue this command:
Code:
mount -a
If all went well, your /tmp directory will now be of type "tmpfs". You can verify this with:
Code:
mount -l
Which should show:
Code:
... (other mounts) ...
tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev,noatime)
What happens now is any file in /tmp is actually saved in RAM (this is where your speed increase comes). So on each boot, it is completely clean and safe from potentially harmful files. In addition, there are a few additional parameters (noexec,nosuid,nodev,noatime) which prevent any files in that directory from being executed, turned into a device, etc., etc. In other words, should a security problem allow a hacker to upload an executable file here (like the IRC daemon), he can't run it.

Hopefully this will help you.
OMG! You sir are a gentleman and a scholar i will implement this and let you know how it goes. Many thanks for your time and patience.
turbanator
19-03-2010, 07:07
i want myatus post stickied now!
Myatu
19-03-2010, 01:22
Login to your server with SSH and follow these steps:

1) Find the rogue IRC daemon process

Type:
Code:
ps aux | grep [i]rcd
This gives you a list of running IRC daemons, if any. If it returns blank, skip to step 3.

2) Kill the rogue IRC daemon process

In the list from step 1, you may see output similar (but not exactly) to this:
Code:
root      14569  0.0  0.0   5280   996 ?        S    Mar18   0:00 /tmp/linux/src/ircd
The number in the 2nd column is what we need (You may notice that this corresponds with the "Pid" in the e-mail OVH has provided you).

Now kill that process with this command (using that number from the 2nd column):
Code:
kill -9 14569
If you have more than one listed with the earlier command, you should repeat this for each one of them.

3) Wipe /tmp clean

Issue this command:
Code:
rm -r /tmp/*
It should delete every single directory and file from /tmp/, which you can verify with:
Code:
ls -la /tmp
Some running processes may quickly re-create files in that directory, but in your case, it's important that the /tmp/linux/* directory is gone.

4) Prevention

At this point the bot should be gone, but something on your system allowed the bot to be placed there. Given its location, it could possibly be a security flaw in, say, a web application (an old version of WordPress or Joomla, to cite an example). You need to make sure everything is up to date.

It's also in your best interest to change the passwords on your system. Not just for your SSH login, but also those for, say, MySQL database, etc.

You should also secure your /tmp directory. Its a directory used (and required) by many applications to store temporary files. However, not one application should be allowed to execute a file from there (be that a script or another application). You can change this, and at the same time speed up your server a bit, by implementing "tmpfs" like so:

Make a copy of your /etc/fstab file like so:
Code:
cp /etc/fstab /etc/fstab.old
Edit the file /etc/fstab (ie, "nano /etc/fstab"). If you have a line where in the second column it shows /tmp, then you need to edit it as following. If you do not have any such line, then you need to add it as following:
Code:
tmpfs           /tmp    tmpfs   noatime,nodev,noexec,nosuid,rw  0       0
Do not modify any other line!

Save the file (in nano, it' CTRL+X and answer "Y") and issue this command:
Code:
mount -a
If all went well, your /tmp directory will now be of type "tmpfs". You can verify this with:
Code:
mount -l
Which should show:
Code:
... (other mounts) ...
tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev,noatime)
What happens now is any file in /tmp is actually saved in RAM (this is where your speed increase comes). So on each boot, it is completely clean and safe from potentially harmful files. In addition, there are a few additional parameters (noexec,nosuid,nodev,noatime) which prevent any files in that directory from being executed, turned into a device, etc., etc. In other words, should a security problem allow a hacker to upload an executable file here (like the IRC daemon), he can't run it.

Hopefully this will help you.
sic
18-03-2010, 22:30
no sir never used it.
rickyday
18-03-2010, 22:22
I take it you have never used IRC on the server?

http://en.wikipedia.org/wiki/Ircd
sic
18-03-2010, 21:58
Ok guys looks like my day just went from bad to worse.

I just got an email from ovh saying my server has been hacked.

it said to do a resintall which i have done however, rtm still says i have a backdoor ?

What do i do now? Any help would be greatly appreciated.

Here is the email in question.

"Here are the details that we are able to provide:


Detection date: 2010-03-18 21:00:28
Procname: ircd
Uid: root
Pid: 14569
CommandLine: /tmp/linux/src/ircd
Exe: /tmp/linux/src/ircd
Ports: 1231,8585,8782,9595
Danger level: 9/10


The presence of a backdoor on your server suggests that a hacker got access to it and is able to launch scans, attacks on our network."