Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 78868 invoked from network); 6 Jun 2005 22:05:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 6 Jun 2005 22:05:38 -0000 Received: (qmail 65440 invoked by uid 500); 6 Jun 2005 22:05:24 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 65425 invoked by uid 500); 6 Jun 2005 22:05:23 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 65393 invoked by uid 99); 6 Jun 2005 22:05:23 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (hermes.apache.org: local policy) Received: from smtp1.netglobalis.cl (HELO smtp1.netglobalis.cl) (200.14.80.91) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 06 Jun 2005 15:05:23 -0700 Received: from cpath.psinet.cl ([200.14.80.251]:59571) by smtp1.netglobalis.cl with esmtp (Exim 4.50 #1 (mailNG/UNIX)) id 1DfPiW-0005IY-6u for ; Mon, 06 Jun 2005 18:05:08 -0400 Received: from [200.29.14.68] (200.29.14.68) by cpath.psinet.cl (5.1.056) id 427A9C3E000CBE61 for users@httpd.apache.org; Mon, 6 Jun 2005 18:05:08 -0400 Message-ID: <42A4C916.60407@Ivn.cl> Date: Mon, 06 Jun 2005 18:07:18 -0400 From: "Ivan Barrera A." Reply-To: Bruce@Ivn.cl Organization: Ivn Systems/Software User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: users@httpd.apache.org References: <42A4C157.6030108@bakedbean.net> In-Reply-To: <42A4C157.6030108@bakedbean.net> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked Subject: Re: [users@httpd] irc eggdrop exploit woes X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Yep. It is most probably that you were hacked through PHP. Most common way of "hacking" this way, is abusing sites running PHP-Nuke, phpBB, and many other sites using "unsafe" programming techniques. If you look in the mailing archives, you can find lots of answers to this type of problems. (consider turning register_globals off, safe_mode on, using somethign like mod_security, disabling exec on tmp partitions, using chrooted vhosts, using phpsuexec, etc) Eben Goodman wrote: > I recently had an irc exploit on my server running this eggdrop relay > thing via apache. I was able to find the offending files and remove > them and the eggdrop processes went away for awhile, but now they are > back and try as I might I can't find any files that correspond to this > software. When viewing top it shows the eggdrop processes running as > apache. If I don't reboot the server for a couple days the eggdrop > apache processes start sucking up all cpu and gobbling bandwidth. > > Has anyone else dealt with this? > > thanks, > Eben > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org