OT but need answer re “iroffer” cron job

  • I was alerted this morning that my disk space at webjones.org was about to be exceeded. I went to my cPanel and checked my file manager. The following file was in my public_html folder:

    .cron

    In it was a 150MB+ file called “Returner_(s_m)_DVDscr(3)(1).AVI”

    I deleted it. Most of the files in the .cron folder were CHMODed 555. I was able to view but not edit them. I can also delete them. I Googled iroffer and it appears to be an IRC bot. I have no idea what it is doing on my server. I have hosted accounts with three different hosts and this “thing” doesn’t appear anywhere but on this web site and this web host.

    I’ve deleted the *.avi file and plan to delete the rest of the .cron directory as soon as I get some answers about it.

    Hoping you can shed some light on it. Should I alert my web host? I looked in my server logs and saw nothing out of the ordinary. I viewed the file called “iroffer_chroot” and I saw this text at the bottom:

    ADDNEWAdd Every File in
    ADDDIRAdd New Pack With ADDMoves Pack x to yx yRENUMBERRemove Every File in
    REMOVEDIRRemoves Pack nREMOVEShow Info for Pack nINFOSends Out The First Queued PackQSENDSends

    There are NO cron jobs running on my server. Anyway, hoping someone that knows far more about all this than I do can shed some light, even tho not a WP problem. Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)

  • yes, iroffer means your server got rooted and they are running illegal warez on your server.

    CHANGE YOUR ROOT PASSWORD ASAP.

    Thread Starter jonimueller

    (@jonimueller)

    Thanks, JD… Will do so asap! Should notify my web host of this?

    If someone rooted the server, the only safe recovery mechanism is to reformat and re-install the server from known reliable read-only media.

    You (or your host) can hunt around for days, looking for backdoors and compromised binaries; but you can’t be sure that you’ve gotten them all.

    The only way to deal with a system compromise is to reformat and re-install.

    Thread Starter jonimueller

    (@jonimueller)

    I will advise them right away, then. Perhaps I should move my site elsewhere? I feel responsible for this breach, since they (whoever “they” are) went through MY site to get in.

    No – they just used your site. There is no telling how or where they got in just yet. Hopefully your host will establish that.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘OT but need answer re “iroffer” cron job’ is closed to new replies.

Tags