[UPGRADE AVAIL.] Eggdrop installed through calendar exploit

[akadel]

I read about the ext calendar exploit yesterday after my page got defaced, uninstalled it, but it wasn't actually removed from the server, should have checked on it.

Now someone came along afterwards and installed some eggdrop irc script. I finally just shut down the server. Any tips on how to remove this thing?

==> Fakename: /usr/sbin/httpd PidNum: 643
[21:44] --- Loading eggdrop v1.6.12 (Sun Jul 16 2006)
[21:44] Listening at telnet port 1500 (all)
[21:44] Module loaded: transfer         (with lang support)
[21:44] Module loaded: channels       
[21:44] Module loaded: server         
[21:44] Module loaded: ctcp           
[21:44] Module loaded: irc             
[21:44] Module loaded: share           
[21:44] Module loaded: filesys          (with lang support)
[21:44] Module loaded: notes            (with lang support)
[21:44] Module loaded: console          (with lang support)
[21:44] Module loaded: blowfish       
[21:44] Module loaded: assoc            (with lang support)
[21:44] *** Chanserv.tcl 0.1 by SoniX
[21:44] [Ident] By D4vL Is Loaded
[21:44] D4vL -> War tCl
[21:44] *** Flood Tcl Loaded ***
[21:44] *** [SoniX]: Utility, Lag Checker Loaded.
[21:44] Auto UnBaN TcL Loaded
[21:44] Loaded AntiDCCSend.TCL by SoniX redesign by subhuman
[21:44] AntiKill v1.0 By (subhuman) Loaded.
[21:44] AnTi Slap Loaded...
[21:44] ======================================
[21:44]  Special salam buat Boss
[21:44] ======================================
[21:44] ..::(+) +-+-+-+-+-+--+ (+)::..
[21:44] ..::(+) |-|S|o|n|i|X-| (+)::..
[21:44] ..::(+) +-+-+-+-+-+--+ (+)::..
[21:44] Bandwidth usage version 0.1 by Ofloo.
[21:44] Sucsesfully loaded Ofloo uptime script version 0.2
[21:44] bseen1.4.2c:  -- Bass's SEEN loaded --
[21:44]      Loading seen database...
[21:44]      Old seen data not found!
[21:44]      If this is the first time you've run the script, don't worry.
[21:44]      If there *should* be a data file from past runs of this script... worry.
[21:44] -=-=   ENTERTAINMENT  PROSES   =-=-=-=-=-
[21:44] DNS 2t.c[4L2]8.8 LOADED!!
[21:44] Creating channel file
[21:44] === ira: 0 channels, 0 users.

[anetus]

did you check crontab if it's not loaded everytime you shut it down ? crontab -u user -l
assuming you have a command line

you can also check for listening ports with netstat -a, and netstat -ap will show you the application which is listening

[Elpie]

Notify your host asap.
You may have to delete everything then reinstate your site from a clean backup. Once you do, make sure you change all your passwords, set register_globals Off and make sure you do not have any vulnerable 3rd party extentions running on your site.
If you look through these threads here you will find lots of useful information to help you.

[akadel]

I'm the host, server is in a colo.  I am going to reinstall from scratch. I just shutdown the server. Going to go with stripped down install with a bunch of the suggestions here.

[Elpie]

As its your server, make sure you set register_globals Off. This helps to prevent a whole heap of trouble and would probably have prevented the ExtCal exploit you suffered.

If you can, also enable mod_security. You will need to do some reading up on the settings for this as its easy to create problems, but it is well worth using.

[RobS]

An upgrade has been made available for ExtCalendar.

See http://forum.joomla.org/index.php/topic ... #msg402249