Hope you could help me.
My account was recently suspended by my host because they saw irc bots in my site. So here's how my conversation (via support tickets) with my host went.
Quote
We've suspended your account, mysite.com for inappropriate use of an IRC script/bot which was found here:
/home/mysite/public_html/themes/djbot/
> set my-hostname ""
> set my-ip "72.36.132.202"
> set nick "poltabes`barelang"
> set username "pppirc"
> set nickpass "bot"
> set owner "cellmast"
> set basechan "#hackerriau"
> set altnick "${nick}\[A\]"
> set altpass "altpassbot"
> set cfgfile "language/${nick}"
> listen 4000 all
> set userfile "${cfgfile}.usr"
> set chanfile "${cfgfile}.chn"
> set admin "joysolutions@gmail.com"
> set kick-bogus-invites 1
> set default-flags "hp"
> set network "mesra.dal.net"
> set timezone "EST"
> set max-logs 5
> set max-logsize 0
> set quick-logs 0
> set log-time 1
> set keep-all-logs 0
> set switch-logfiles-at 300
> set console "mkcobxs"
> set sort-users 0
> set notify-newusers "$owner"
> set help-path "language/"
> set temp-path "language/"
> set motd "motd"
> set whois-fields "Joy Solutions"
> set realname "Joy Solutions"
> set protect-telnet 0
> set dcc-sanitycheck 0
> set ident-timeout 30
> set mod-path "modules/"
> loadmodule transfer
> set require-p 0
> set open-telnets 0
> set stealth-telnets 1
> set connect-timeout 15
> set dcc-flood-thr 3
> set telnet-flood 5:60
> set resolve-timeout 15
> set ignore-time 15
> set debug-output 0
> set hourly-updates 00
> set remote-boots 2
> set share-unlinks 1
> set die-on-sighup 0
> set die-on-sigterm 0
> unbind dcc n tcl *dcc:tcl
> unbind dcc n set *dcc:set
Our TOS explicitly prohibits the use thereof. We would like to get your side first though.
And I said that the most plausible explanation is I've been hacked. I then asked my host what am I supposed to do now?
My host's reply is this:
Quote
We've tried hard to look for affected files and bot scripts that are still plaguing this server. We'd have some success but we cannot still be sure as to the extent of the damaged caused to the entire server.
My worry here is that the compromised account may have been infected with some backdoor that once we un-suspend it again, it could open us to more problems.
To be really sure, we might need to terminate the account and set you up a fresh new account. This way, we are sure that passwords and hidden scripts are reset or deleted completely.
We're also afraid the the backups have been infected as well. Would you have any local copy of this site that you can re-upload?
So I want to reply with this:
Quote
I'm afraid I don't have a backup of the entire site.
Here's a backgrounder of my site, and my suggestion on how to address our problem for your consideration.
Recently, when your company and this end observed that mysite.com was using too much bandwidth, I looked at the logs as you advised and saw that my site might have been compromised using the xmlrpc vulnerability -- there were logs mentioning "xmlrpc". I have since removed xmlrpc per advice of the postnuke site (the CMS I'm using). So these bots may be remnants of those successful hacks into my site.
Now, as you might have suggested, there may be backdoor entries into the site that we cannot see. I've been scouring the postnuke boards and so far, my research has yielded the following courses of action:
1. I will manually look into the files and delete any suspicious files -- like the djbot file you found.
2. I will also delete files that I have not used for some time now -- e.g. initial installations of wordpress files.
3. Postnuke has suggested patching my installation files (or upgrading for that matter -- that way infected files are overwritten or rendered useless) in order to fix security issues/vulnerabilities.
4. Looking into the configuration files to find out what entries might have been altered, and acting upon them.
5. Removing vulnerable modules -- modules produced by third parties and not by the core developers of postnuke.
6. Looking into vulnerable modules such as PNphpBB, and patching or upgrading them to fix security issues.
7. And other options that I will still discover.
The thing is, the problems started cropping up because I haven't been regularly logging into the site for the past few months, so I haven't been able to observe the logs, and act immediately upon seeing anything out of the ordinary.
My suggestion now, is that, after applying the aforementioned remedies, your company and this end observe the logs to see if there are still suspicious activities. Related to this, I'm assuming that you have a mechanism for observing such activities, aside from my logs?
Am hoping that we could work this out since I really don't have a backup of the entire site.
My questions are:
Do you think my proposed suggestions would work -- or are they accurate? Will they convince my host? Is his course of action the only option (related to this, is there really no absolute way to discover/remove malicious scripts)?
What other advice can you give with the given situation -- e.g., what remedies have I missed for this particular problem? Any idea how that djbot got there?
Really hope that you can guide me since I want to save my files. Thanks in advance! :)
