--On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot <mai...@bzerk.org>
wrote:
On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed:
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote:
> Ok, here is what lsof tells me:
>
> $ sudo lsof | grep perl
> perl5.8.9 4272 www 3u IPv4 0xc33cf000 0t0 TCP
> gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED)
>
> The last line would be appear to telling me something, but what?
The script is talking to 94.102.51.57 on port 7000.
At which port an IRC server is listening:
telnet 94.102.51.57 7000
Trying 94.102.51.57...
Connected to 94.102.51.57.
Escape character is '^]'.
:sampson.dangerz.biz NOTICE AUTH :*** Looking up your hostname...
:sampson.dangerz.biz NOTICE AUTH :*** Couldn't resolve your hostname; using
your IP address instead
And the IRC daemon is screaming "You have been hacked!"
You need to get someone who knows about server compromises to help you. Your
server has been compromised. If you don't take action now, it will only get
worse.
--
Paul Schmehl (pa...@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/