hacked!

I can't imagine how that must feel, but like you I would never have known if someone were doing it to me. Thank goodness for efficient and cautious hosts!

talk about violation- damn hackers must pay!

it could have been much worse. with that kinda access, the person could done an incredible amount of damage to a lot of sites. they just installed a little hacker bot thingy, which certainly got my hosts all fussy. oh my yes.

Not necessarily hacked. People do find things from time to time they did not upload. I'd check more for unsecured scripts. And if you're not running suexec, you should be - that will cut down on the risk of wankers compromising scripts that might otherwise be used for this purpose (added bonus: even if they do manage to upload something, say to /tmp, they won't be able to run it from there under suexec).

Jesus!
Glad everything's okay & you caught it in time.

well, this was in fact sitting in the /tmp directory, under one of the subdomains, and it had been uploaded and probably unzipped on the server, since both the zipped file and the running software were there.

whoa, what a suck thing for you to come home to yesterday!
Glad that the effect/damage was minimal.
How do you check for stuff like that?

my hosts emailed me about it -- they either detected the server processes, or some port activity, or they periodically run searches for stuff, i'm not sure.

i wouldn't have been able to find it on my own, well, only by accident.

Krix asks an excellent question: how do you check for that?

Oh, never mind then. Glad no serious harm was done.

Mostly, it's a matter of monitoring the processes running on the box to make sure there's nothing weird running in the background. Occasional scans for the various IRC bots (among other nastiness) also helps.

Well, here's a cheer for our servers. Good thing someone's paying attention, eh?

they must pay

OMG--how frightening! glad to hear there was no damage tho.

I read about it. I guess the major problem ith it is that they would be using your bandwidth, huh? Or is there more to it than that?

well, it is used to block a server's identity so it could be used for all kinds of evil, including denial of service attacks. they might have been using it as an IRC relay? i don't know much about that sort of thing.

well, there are a couple of ways around anon ftp denials, so i wouldn't rule it out as the avenue of egress.

you are to be commended for digging around with common user privs and finding this problem. good job.

i can imagine your frustration with tech support. ugh.

annette is right. it could be much worse. psyBNC is just an irc proxy. if it was just in /tmp not much harm can be done... well, depending on the perms.

more troubling is the fact that you're running telnet. bad. bad. bad. replace it with a current and known good ssh. look into sftp as opposed to your current ftp daemon (probably wu-ftpd, in which case if they knew anything at all they could have rooted you six ways from sunday).

get nmap and learn to use it. scan for services and weed out those you don't need. /etc/services is a good starting place for what runs on what port but in stock linux it is limited. use the /etc/services that ships with nmap for a more complete list.

all in all, it sounds like someone uploaded this bouncer - a more or less harmless prog. - via ftp and used it to connect to irc. annoying but i wouldn't really call it a hack. anyone with an ftp client and your server address could do the same. hence my recommendation for ssh replacing telnet... and now, scp replacing ftp if you can manage it and not piss off your lusers too badly. if you have to offer remote transfer, still consider scp (part of the ssh suite of tools). there are various windows scp tools both graphical and cmd line that can be easily learned by just about anyone. i've seen a decent drag and drop version. user education and tighter admining is what is need here.

as an admin, your cherry just got busted. there are worse devils that await you. trust me. good luck.

Actually, your tech support people should be very interested in figuring this out: after all, if it happens on one site, it can happen on another. Were we your tech, we'd be reviewing every file and permission under your user account for forensics, to try and determine how they got it to your site. Also, FTP logins are logged, and there are of course the domain logs for the account in the event they uploaded something really fun like a telnet script that allows them to walk around your space without you even knowing. Etc. It's always possible to find out where they came from and how they did it, if enough of the evidence trail is left for examination. Ideally, it would never happen. Once it does, though, making it never happen again is the mantra. Or should be.

Geekiness=sexiness

Nicely covered, Scott!

...except that, sadly, i'm not really the admin -- i'm just a person that rents space on a virtual server. i don't have root access at all, nor do i have the ability to configure my space any differently than the rest of the space.

the servers are pretty well locked down and won't accept anonymous FTP (hell, you can't even view directories of things without index files). i telnet because that's what my hosts give me.

the problem really, as we were saying last night Dan, is that they pretty much had to have a password. or have gotten in through the backend.

i just tried to anon FTP and it shut me down cold. and *that* was to the specific FTP directory, you can't see anything else at all. so getting this into a subdirectory of a subdomain, required some navigating the server.

and the worst part is, me not really being an admin, and having to try and figure this out without annoying my host's tech support. or really being able to make changes at the server level, other than to move files around and run simple commands. that's it.

who's your server again? and are their rates decent?

just shoppin'