Archive for August, 2011
How did I find the root cause of the IRC traffic issue
Posted by mcsrainbow in Linux&Unix on August 6, 2011
This morning, the IDC told us that one of our server has been observed making at least 4 outgoing IRC connection attempts. This is not normal behavior. Later, I found the root cause of this IRC traffic issue.
The operation notes are as below:
-------------------------------------------------------------------------------
[root@server ~]# ps aux
...
username 26650 0.0 0.0 2068 764 ? Ss Jul20 0:21 crond
...
This progress was belong to username, and the name was crond, it was very suspicious.
[root@server ~]# last | grep username
[root@server ~]#
I checked the login history, but there was no record about the user username.
[root@server home]# ll | grep username
drwx------ 3 username username 4096 Jul 20 05:07 username
The home directory of username was modified at Jul 20 05:07.
[root@server username]# ll
total 0
But there was no normal files under it.
[root@server username]# ll -a
...
drwx------ 3 username username 4096 Aug 6 06:36 .ssh
...
Then check the hidden files, the directory .ssh was modified at 6:36 today.
[root@server .ssh]# ll -a
...
drwxr-xr-x 3 username username 4096 Jul 20 06:00 www
There was a suspicious directory under it.
There were a lot of suspicious files in this directory.
[root@server .ssh]# cd www
[root@server www]# ll
total 840
-rwxr-xr-x 1 username username 255 May 5 2010 1
-rw-r--r-- 1 username username 120 Jul 20 05:08 1.1.1.1.user
-rwxr-xr-x 1 username username 321 May 23 2009 autorun
-rwxr-xr-x 1 username username 612470 Jan 29 2010 crond
-rw-r--r-- 1 username username 54 Jul 20 05:08 cron.d
-rwxr-xr-x 1 username username 447 Feb 24 2010 go
-rwxr-xr-x 1 username username 5119 Apr 13 2010 inst
-rwxr-xr-x 1 username username 21 Jul 20 05:08 mech.dir
-rwxr-xr-x 1 username username 169692 Jul 20 05:08 pico
drwxr-xr-x 2 username username 4096 Jan 29 2010 randfiles
-rw-r--r-- 1 username username 1043 Aug 6 06:00 raw.levels
-rw------- 1 username username 6 Jul 20 05:08 raw.pid
-rw-r--r-- 1 username username 867 Aug 6 06:00 raw.session
-rw-r--r-- 1 username username 1091 Jul 20 05:08 raw.set
-rwxr-xr-x 1 username username 52 Feb 24 2010 run
-rwxr-xr-x 1 username username 194 Jul 20 05:08 update
-rwxr-xr-x 1 username username 8 Feb 24 2010 vhosts
[root@server www]# lsof crond
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 26650 username txt REG 8,5 612470 67207186 crond
The file crond in this directory was the one which was running.
[root@server www]# crontab -u username -l
* * * * * /home/username/.ssh/www/update >/dev/null 2>&1
And it used the crontab jobs to update.
[root@server www]# grep 208.83.20.130 -rl .
./raw.session
./inst
./raw.set
The IP address 208.83.20.130 was included in some files.
There were a lot of domains and addresses in those files.
[root@server www]# cat raw.session
…
server Budapest.Hu.Eu.Undernet.org 7000
server Budapest.Hu.Eu.Undernet.org 6667
server Tampa.FL.US.Undernet.org 6667
server lidingo.se.eu.undernet.org 6667
…
server 194.109.20.90 6662
server 69.16.172.34 6660
server 69.16.172.34 6662
server 208.83.20.130 6667
server us.undernet.org 6667
…
There was no doubt about it, the user username was hacked.
Let’s kill the fake progress and clean them.
[root@server .ssh]# kill -9 26650
[root@server .ssh]# cat /dev/null > /var/spool/cron/username
[root@server .ssh]# rm -rf www
How to sub-volume compress files on Linux
Posted by mcsrainbow in Linux&Unix on August 3, 2011
First, install the rar software.
# wget ftp://ftp.pbone.net/mirror/dag.wieers.com/redhat/el5/en/x86_64/dag/RPMS/rar-3.8.0-1.el5.rf.x86_64.rpm
# rpm -ivh rar-3.8.0-1.el5.rf.x86_64.rpm
Then use command to sub-volume compress files.
For example, if we want to sub-volume compress a file or directory into some 500m files.
# rar a -v500m filename.rar filename
# rar a -v500m dirname.rar dirname
After that:
We will see many files like filename.part1.rar filename.part2.rar …
If we need to extract them on Linux, we need use this command:
# rar x filename.part1.rar
If we need to extract them on Windows, just download all of them, and use the software “WinRAR”.
Recent Comments
pls tell me how to lock the target directory of the bbcp user?
Hi, i am trying to send out mail to office 365 and i am getting below error…
How to do the above settings for windows 7 machine and jenkins hosted on tomcat installed on the same machine??
Hey pal, who said pfSense sucks screw you!
Hey dear can we done some Project together ? i am from iran and i have some…
Upload it to Mega.nz
How can I replicate this issue.? I also faced the same problem, where all the cron entries lost. Not sure…
Hi, I am trying to integrate Jenkins with office365 and as mentioned above, (please correct me if i am…
Hi, I am trying to integrate Jenkins with office365 and as mentioned above, (please correct me if i am…
Vishal : shreyas :…