security problem
David A. Bandel
david.bandel at gmail.com
Mon Jun 30 04:09:15 PDT 2008
On Mon, Jun 30, 2008 at 3:31 AM, James McDonald
<james at jamesmcdonald.id.au> wrote:
> Gilles Germon wrote:
>>
>> See the remarks section here :
>>
>> http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=
>> 194.68.45.50&do_search=Search
>>
>> Gilles
>>
>
> So what you are saying is someone is sending controlling commands from an
> irc server on the http://www.dal.net irc farm.
That's one of 3 IPs I've seen, but yes, basically.
>
> I suppose you could use tcpdump and try and see what's it's actually saying
> over the wire... unless the -DSSL is being used.
Have blocked it locally (port 6667). Would need to let it run to see
what happens. I wanted to find the program itself. May have been
removed after startup, but should still be a copy somehere.
Definitely a perl program. I want to see if I can find out how it got
installed and started so I can prevent a reoccurrence. Originating
directory is /var/tmp/data, but that's completely empty.
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
More information about the Linux-users
mailing list