0

Possible Duplicate:
My server's been hacked EMERGENCY

I am seeing strange tcp connection 149.9.1.16:ircd ans it is running perl service and that process is creating huge load on server IPV4 TCP 3u MYIP:58449 -> 149.9.1.16:ircd ESTABLISHED

can i know is this malware or any other service running and eating my server resources My os details are centos5.5

Community
  • 1
lakshman
  • 1
  • 1

2 Answers2

3

If this isn't something you are expecting then it is most likely malware. Your only real solution is to shut the system down. Get an image for later analysis. Nuke the system from orbit then restore from a known good backup - it's the only way to be sure.

user9517
  • 114,104
  • 20
  • 206
  • 289
2

That's bad - it looks like your server is a part of botnet.

If you don't know where proces runs, check some info about it ('pid' is process id): 

ls -l /proc/'pid'/fd
cat /proc/'pid'/cmdline

Find bad script and kill it. I guess, it's located in /tmp, /var/tmp or defined temporary directory for your webserver. It's a good chance, that script was uploaded via bad coded webpages; find it and repair.

stderr
  • 871
  • 6
  • 15
  • 2
    Realistically, the only repair is a clean install and restore from a clean backup. – user9517 Feb 27 '12 at 08:06
  • Sorry, this is not good advice. Once your system has been rooted, its not yours anymore. In my experience, fiddling around like this is much less cost effective and secure than nuking and starting again. – Rob Moir Feb 27 '12 at 08:17
  • If there is a hole in your backup, your server still has a problem.. Better is to know where the hole is and repair it. – stderr Feb 27 '12 at 08:19
  • 1
    You cannot repair it with any confidence - it's not your system any more. If your backups are no good then rebuild from your sources... – user9517 Feb 27 '12 at 08:27
  • In situations like this the "hole" is that you *don't have control of that system any more*. The only way to be certain that you've fixed that particular hole is to rebuild the system. While there's a lot of value in finding and fixing the exploit used to break into the system, you can't be sure about what **else** has been done to the system once the intruders gained control (indeed, they may well have patched the exploit themselves to safeguard "their" new botnet member from other hackers, as well as installing their rootkit). – Rob Moir Feb 27 '12 at 09:01
  • 2
    I'd tcpdump it first out of interest. – Tom O'Connor Feb 27 '12 at 11:07