Blocking IRC Bots
We have a hardware firewall, closing all ports we do not need, but they use active ports that *are* needed for software required by cpanel.
I know how they are being loaded onto the system by using the wget command (which is now disabled) and exploits in PHP-Nuke...which 40% users use phpuke, 45 systems thousands of customers so we cant just ban everyone.... well I guess we could but I can imagine a huge $$ loss because we're becoming selective.
I talked with IRCops about blocking our network because of the bandwidth problems but they refuse to block it... their answer was lock your system down. It would be so much simpler if they just blocked our network..
So what can you do to block them? If I need to pay someone for this, that isnt a problem but it would be nice if I could find some info on it.. its becoming a problem.
Example
root@ [/dev/shm/.amech]# ls -l
total 1144
drwx------ 3 wylie31 wylie31 400 Sep 27 18:50 ./
drwxrwxrwt 3 root root 60 Sep 27 18:47 ../
-rw-r--r-- 1 wylie31 wylie31 340 Sep 27 19:00 1.users
-rw-r--r-- 1 wylie31 wylie31 340 Sep 27 19:00 2.users
-rw-r--r-- 1 wylie31 wylie31 340 Sep 27 19:00 3.users
-rw-r--r-- 1 wylie31 wylie31 40606 Sep 27 19:50 Aleks.seen
-rw-r--r-- 1 root root 0 Sep 27 18:50 DeWaRs`.seen
-rw-r--r-- 1 wylie31 wylie31 70 Feb 5 2004 emech.users
-rw-r--r-- 1 wylie31 wylie31 168 Sep 27 18:50 LinkEvents
-rw-r--r-- 1 wylie31 wylie31 1033 Sep 27 19:00 mech.levels
-rw------- 1 wylie31 wylie31 6 Sep 27 18:48 mech.pid
-rw-r--r-- 1 wylie31 wylie31 1445 Sep 27 19:00 mech.session
-rw-r--r-- 1 wylie31 wylie31 1702 Feb 5 2004 mech.set
-rw------- 1 wylie31 wylie31 1465 Aug 2 2002 mech.setu7y
-rw-r--r-- 1 wylie31 wylie31 65722 Sep 27 19:50 mtcom.seen
-rw-r--r-- 1 wylie31 wylie31 44346 Sep 27 19:50 mtnet.seen
-rw-r--r-- 1 root root 0 Sep 27 18:50 ^^PuPiNa^.seen
drwx------ 2 wylie31 wylie31 140 May 15 2001 randfiles/
-rwxr-xr-x 1 wylie31 wylie31 472230 Feb 5 2004 sh*
-rwx------ 1 wylie31 wylie31 472230 Sep 27 19:52 smbd*
root@ [/dev/shm/.amech]# cd ..
root@ [/dev/shm]# ls -l
total 88
drwxrwxrwt 3 root root 60 Sep 27 18:47 ./
drwxr-xr-x 19 root root 86016 Sep 27 18:48 ../
drwx------ 3 wylie31 wylie31 400 Sep 27 18:50 .amech/
root@ [/dev/shm]#
If i suspend that account, another account is found with the same problem.. it can be loaded anywhere but /dev/shm seems to be the popular place... even if possible to lock that directory somewhat, wont matter... they just load it from the users root directory which is even more obvious
