+ Post New Thread
Results 1 to 5 of 5
*nix Thread, kswap....Big Trouble in Little College! in Technical; So, for the second time in a matter of weeks, our whole network is brought to a halt by................... KSWAP! ...
  1. #1

    aerospacemango's Avatar
    Join Date
    Apr 2010
    Location
    Northants
    Posts
    1,994
    Thank Post
    283
    Thanked 249 Times in 200 Posts
    Blog Entries
    2
    Rep Power
    295

    Post kswap....Big Trouble in Little College!

    So, for the second time in a matter of weeks, our whole network is brought to a halt by...................

    KSWAP!

    Now, having spent a lot of time over this, here is the advice that was sent to me, over how to deal with it!



    > The exploit
    > > or compromise running on this system is likely to
    > be an irc bot. Can
    > > you please alert the person who is
    > >
    > responsible, for its security to
    > > patch/upgrade, remove the
    > > irc
    > process and secure their system.
    > > Usual point of entry with these
    > machines, are weak ssh
    > > passwords and
    > > Web applications that have
    > not been kept up to date with
    > > security
    > > fixes.
    > >
    > > = Unix
    > System owners =
    > > A favourite place for hiding the
    > > bot(s) is in
    > /tmp/
    > > and in /var/tmp/ or /dev/shm/ or in a users /home/
    > directory
    > > sometimes it may be hidden like /tmp/". ."/ or
    > >
    > similar.
    > >
    > > The bot files can usually be found by running these
    > one
    > > line
    > > commands as the root user.
    > >
    > > find / -exec grep -l
    > "undernet"
    > > {} +
    > > find / -exec grep -l "sybnc" {} +
    > > find /
    > -name "*.set" | perl
    > > -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq
    > >
    > find / -name "inst" | perl
    > > -pe 's/.\/\w+-(\w+)-.*/$1/' | sort |
    > uniq
    > >
    > > netstat -tanp
    > > lsof -i
    > > tcp:<Port number>
    > >
    > >
    > *netstat looking for connections to remote port
    > > 6667 or the
    > >
    > range of ports between 6660-7000 once you find the port
    > > you
    > > can
    > use the command, lsof -i tcportnumber to determine
    > > which
    > >
    > process/user it is running under, and terminate it.



    I hope that if anyone else gets this, this info will help!

    Apparently, it gets into the system by VNC, so always make sure that you close your VNC tunnel!

  2. #2


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,687
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    Did the person who told you it was an exploit have more information than just "kswap" ?

    It is likely to be something (anything) else that is using lots of resources and you're crunching up the swap space and possibly running out. (which may or may not be an exploit but I've yet to see an irc bouncer (psybnc) bring a whole system to its knee's))

    It would be helpful to see what's in "top" and also what specification the system is and what it's doing.

  3. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    prevention: don't use VNC tunnels in an insecure way...


    edit: that goes for SSH tunnels too. And anything else.

  4. #4

    aerospacemango's Avatar
    Join Date
    Apr 2010
    Location
    Northants
    Posts
    1,994
    Thank Post
    283
    Thanked 249 Times in 200 Posts
    Blog Entries
    2
    Rep Power
    295
    Quote Originally Posted by powdarrmonkey View Post
    prevention: don't use VNC tunnels in an insecure way...


    edit: that goes for SSH tunnels too. And anything else.
    Indeed! But, the problem with VNC is that it only needs to be open for a second, and they can be in.

    For reference, it was on our moodle server, which is running linux. This means that the use of the folder name "." or ".." makes it very difficult to find/ get rid of!

    Our systems developer went on and sorted it.

  5. #5


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,687
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    I hope he sorted it with a rebuild, once a box has been rooted I wouldn't trust it within an inch of its life especially not if it's talking to your user directory.

SHARE:
+ Post New Thread

Similar Threads

  1. [Video] Big tanker, big storm, big brown trousers
    By mattx in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 11th March 2010, 10:47 AM
  2. College Manager - Settle College
    By jcollings in forum Educational IT Jobs
    Replies: 14
    Last Post: 31st October 2009, 02:23 PM
  3. In trouble ?
    By blackcat in forum General Chat
    Replies: 9
    Last Post: 14th December 2007, 11:11 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •