| hamzagad |
02-05-2016 03:55 PM |
My server hacked, delete asterisk, start even if killed
Dear all:
I am not that expert in linux, My CentOS 5.10 "elastix 2.5" server hacked.
The hacker uses my server to attack another servers so i want to stop him.
Here is "netstat -np" result :
Code:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.201:22 192.168.1.77:64984 ESTABLISHED 2704/sshd
tcp 0 1 192.168.1.201:58401 103.240.141.67:3307 SYN_SENT 1605/ls
tcp 0 0 192.168.1.201:22 192.168.1.77:50366 ESTABLISHED 30703/sshd
tcp 0 52 192.168.1.201:22 192.168.1.77:64985 ESTABLISHED 2854/sshd
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ] DGRAM 9557 2879/idled /var/lib/imap/socket/idle
unix 2 [ ] DGRAM 8046 2430/hald @/org/freedesktop/hal/udev_event
unix 29 [ ] DGRAM 8337 2230/syslogd /dev/log
unix 2 [ ] DGRAM 1242 131/udevd @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 126513 7589/local
unix 2 [ ] DGRAM 126503 7588/trivial-rewrit
unix 3 [ ] STREAM CONNECTED 126509 7588/trivial-rewrit private/rewrite
unix 3 [ ] STREAM CONNECTED 126500 7587/cleanup
unix 2 [ ] DGRAM 126493 7587/cleanup
unix 2 [ ] DGRAM 126484 7586/pickup
unix 3 [ ] STREAM CONNECTED 99282 30703/sshd
unix 3 [ ] STREAM CONNECTED 99281 30730/sftp-server
unix 3 [ ] STREAM CONNECTED 99280 30703/sshd
unix 3 [ ] STREAM CONNECTED 99279 30730/sftp-server
unix 2 [ ] DGRAM 10773 3257/saslauthd
unix 2 [ ] DGRAM 10703 3219/hfaxd
unix 2 [ ] DGRAM 11783 3208/faxq
unix 3 [ ] STREAM CONNECTED 10497 3085/php
unix 3 [ ] STREAM CONNECTED 10496 3084/php
unix 2 [ ] DGRAM 9776 2965/pop3d
unix 2 [ ] DGRAM 10468 2964/imapd
unix 2 [ ] DGRAM 10467 2962/imapd
unix 2 [ ] DGRAM 9773 2963/imapd
unix 2 [ ] DGRAM 9761 2965/pop3d
unix 2 [ ] DGRAM 10458 2964/imapd
unix 2 [ ] DGRAM 9737 2962/imapd
unix 2 [ ] DGRAM 10426 2963/imapd
unix 2 [ ] DGRAM 10403 2948/imapd
unix 2 [ ] DGRAM 10375 2984/crond
unix 2 [ ] DGRAM 10355 2948/imapd
unix 2 [ ] DGRAM 10352 2949/pop3d
unix 2 [ ] DGRAM 10350 2923/lmtpd
unix 2 [ ] DGRAM 9693 2854/sshd
unix 2 [ ] DGRAM 10320 2922/pop3d
unix 2 [ ] DGRAM 9683 2919/imapd
unix 2 [ ] DGRAM 9681 2920/pop3d
unix 2 [ ] DGRAM 10318 2918/imapd
unix 2 [ ] DGRAM 9675 2944/qmgr
unix 2 [ ] DGRAM 9672 2949/pop3d
unix 3 [ ] STREAM CONNECTED 10294 2932/master
unix 3 [ ] STREAM CONNECTED 10293 2932/master
unix 3 [ ] STREAM CONNECTED 10291 2932/master
unix 3 [ ] STREAM CONNECTED 10290 2932/master
unix 3 [ ] STREAM CONNECTED 10288 2932/master
unix 3 [ ] STREAM CONNECTED 10287 2932/master
unix 3 [ ] STREAM CONNECTED 10285 2932/master
unix 3 [ ] STREAM CONNECTED 10284 2932/master
unix 3 [ ] STREAM CONNECTED 10282 2932/master
unix 3 [ ] STREAM CONNECTED 10281 2932/master
unix 3 [ ] STREAM CONNECTED 10279 2932/master
unix 3 [ ] STREAM CONNECTED 10278 2932/master
unix 3 [ ] STREAM CONNECTED 10276 2932/master
unix 3 [ ] STREAM CONNECTED 10275 2932/master
unix 3 [ ] STREAM CONNECTED 10273 2932/master
unix 3 [ ] STREAM CONNECTED 10272 2932/master
unix 3 [ ] STREAM CONNECTED 10270 2932/master
unix 3 [ ] STREAM CONNECTED 10269 2932/master
unix 3 [ ] STREAM CONNECTED 10267 2932/master
unix 3 [ ] STREAM CONNECTED 10266 2932/master
unix 3 [ ] STREAM CONNECTED 10264 2932/master
unix 3 [ ] STREAM CONNECTED 10263 2932/master
unix 3 [ ] STREAM CONNECTED 10261 2932/master
unix 3 [ ] STREAM CONNECTED 10260 2932/master
unix 3 [ ] STREAM CONNECTED 10258 2932/master
unix 3 [ ] STREAM CONNECTED 10257 2932/master
unix 3 [ ] STREAM CONNECTED 10255 2932/master
unix 3 [ ] STREAM CONNECTED 10254 2932/master
unix 3 [ ] STREAM CONNECTED 10252 2932/master
unix 3 [ ] STREAM CONNECTED 10251 2932/master
unix 3 [ ] STREAM CONNECTED 10249 2932/master
unix 3 [ ] STREAM CONNECTED 10248 2932/master
unix 3 [ ] STREAM CONNECTED 10246 2932/master
unix 3 [ ] STREAM CONNECTED 10245 2932/master
unix 3 [ ] STREAM CONNECTED 10243 2932/master
unix 3 [ ] STREAM CONNECTED 10242 2932/master
unix 3 [ ] STREAM CONNECTED 9216 2932/master
unix 3 [ ] STREAM CONNECTED 9215 2932/master
unix 3 [ ] STREAM CONNECTED 9213 2932/master
unix 3 [ ] STREAM CONNECTED 9212 2932/master
unix 3 [ ] STREAM CONNECTED 9210 2932/master
unix 3 [ ] STREAM CONNECTED 9209 2932/master
unix 3 [ ] STREAM CONNECTED 9207 2932/master
unix 3 [ ] STREAM CONNECTED 9206 2932/master
unix 3 [ ] STREAM CONNECTED 9204 2932/master
unix 3 [ ] STREAM CONNECTED 9203 2932/master
unix 3 [ ] STREAM CONNECTED 9201 2932/master
unix 3 [ ] STREAM CONNECTED 9200 2932/master
unix 3 [ ] STREAM CONNECTED 9652 2932/master
unix 3 [ ] STREAM CONNECTED 9651 2932/master
unix 3 [ ] STREAM CONNECTED 9650 2932/master
unix 3 [ ] STREAM CONNECTED 9649 2932/master
unix 3 [ ] STREAM CONNECTED 9647 2932/master
unix 3 [ ] STREAM CONNECTED 9646 2932/master
unix 3 [ ] STREAM CONNECTED 9645 2932/master
unix 3 [ ] STREAM CONNECTED 9644 2932/master
unix 2 [ ] DGRAM 9636 2932/master
unix 2 [ ] DGRAM 9194 2923/lmtpd
unix 2 [ ] DGRAM 9631 2922/pop3d
unix 2 [ ] DGRAM 9193 2920/pop3d
unix 2 [ ] DGRAM 9628 2919/imapd
unix 2 [ ] DGRAM 9190 2918/imapd
unix 3 [ ] STREAM CONNECTED 9050 2704/sshd
unix 3 [ ] STREAM CONNECTED 9049 2830/sftp-server
unix 3 [ ] STREAM CONNECTED 9048 2704/sshd
unix 3 [ ] STREAM CONNECTED 9047 2830/sftp-server
unix 2 [ ] DGRAM 9026 2824/cyrus-master
unix 2 [ ] DGRAM 9282 2526/ntpd
unix 2 [ ] DGRAM 8814 2510/xinetd
unix 3 [ ] STREAM CONNECTED 8772 2369/dbus-daemon /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 8104 2430/hald
unix 3 [ ] STREAM CONNECTED 8090 2430/hald @/var/run/hald/dbus-kK4wQ5iGTz
unix 3 [ ] STREAM CONNECTED 8758 2452/hald-addon-key
unix 3 [ ] STREAM CONNECTED 8079 2430/hald @/var/run/hald/dbus-kK4wQ5iGTz
unix 3 [ ] STREAM CONNECTED 8744 2446/hald-addon-key
unix 3 [ ] STREAM CONNECTED 8072 2430/hald @/var/run/hald/dbus-kK4wQ5iGTz
unix 3 [ ] STREAM CONNECTED 8736 2443/hald-addon-key
unix 3 [ ] STREAM CONNECTED 8065 2430/hald @/var/run/hald/dbus-kK4wQ5iGTz
unix 3 [ ] STREAM CONNECTED 8728 2440/hald-addon-key
unix 3 [ ] STREAM CONNECTED 8041 2430/hald @/var/run/hald/dbus-KXXMP6ZpiG
unix 3 [ ] STREAM CONNECTED 8716 2431/hald-runner
unix 3 [ ] STREAM CONNECTED 7994 2369/dbus-daemon
unix 3 [ ] STREAM CONNECTED 7993 2369/dbus-daemon
unix 3 [ ] STREAM CONNECTED 7949 2339/rpc.idmapd
unix 3 [ ] STREAM CONNECTED 7948 2339/rpc.idmapd
unix 2 [ ] DGRAM 7896 2303/rpc.statd
unix 2 [ ] DGRAM 7832 2233/klogd
unix 3 [ ] STREAM CONNECTED 7793 2198/auditd
unix 3 [ ] STREAM CONNECTED 7792 2200/audispd
Here is "netstat -antop" result:
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2824/cyrus-master off (0.00/0/0)
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2824/cyrus-master off (0.00/0/0)
tcp 0 0 127.0.0.1:20004 0.0.0.0:* LISTEN 3155/php off (0.00/0/0)
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2651/mysqld off (0.00/0/0)
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2824/cyrus-master off (0.00/0/0)
tcp 0 0 0.0.0.0:4559 0.0.0.0:* LISTEN 3219/hfaxd off (0.00/0/0)
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2824/cyrus-master off (0.00/0/0)
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2264/portmap off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2950/httpd off (0.00/0/0)
tcp 0 0 0.0.0.0:789 0.0.0.0:* LISTEN 2303/rpc.statd off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2492/sshd off (0.00/0/0)
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2932/master off (0.00/0/0)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2950/httpd off (0.00/0/0)
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN 3414/perl off (0.00/0/0)
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 2824/cyrus-master off (0.00/0/0)
tcp 0 1 192.168.1.201:46453 103.240.140.152:3307 SYN_SENT 1605/ls on (1.03/1/0)
tcp 0 0 192.168.1.201:22 192.168.1.77:64984 ESTABLISHED 2704/sshd keepalive (279.94/0/0)
tcp 0 0 192.168.1.201:22 192.168.1.77:50366 ESTABLISHED 30703/sshd keepalive (3834.73/0/0)
tcp 0 2284 192.168.1.201:22 192.168.1.77:64985 ESTABLISHED 2854/sshd on (0.36/0/0)
Here is "ps -Af" result: the red marked executed by the hacker or its script.
Code:
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 21:30 ? 00:00:04 init [3]
root 2 0 0 21:30 ? 00:00:00 [kthreadd]
root 3 2 0 21:30 ? 00:00:00 [ksoftirqd/0]
root 4 2 0 21:30 ? 00:00:00 [kworker/0:0]
root 6 2 0 21:30 ? 00:00:00 [migration/0]
root 7 2 0 21:30 ? 00:00:00 [watchdog/0]
root 8 2 0 21:30 ? 00:00:00 [migration/1]
root 10 2 0 21:30 ? 00:00:00 [ksoftirqd/1]
root 11 2 0 21:30 ? 00:00:00 [kworker/0:1]
root 12 2 0 21:30 ? 00:00:00 [watchdog/1]
root 13 2 0 21:30 ? 00:00:00 [cpuset]
root 14 2 0 21:30 ? 00:00:00 [khelper]
root 15 2 0 21:30 ? 00:00:00 [kdevtmpfs]
root 16 2 0 21:30 ? 00:00:00 [netns]
root 17 2 0 21:30 ? 00:00:00 [sync_supers]
root 18 2 0 21:30 ? 00:00:00 [bdi-default]
root 19 2 0 21:30 ? 00:00:00 [kblockd]
root 20 2 0 21:30 ? 00:00:00 [kworker/1:1]
root 21 2 0 21:30 ? 00:00:00 [khubd]
root 22 2 0 21:30 ? 00:00:00 [md]
root 23 2 0 21:30 ? 00:00:00 [khungtaskd]
root 24 2 0 21:30 ? 00:00:00 [kswapd0]
root 25 2 0 21:30 ? 00:00:00 [ksmd]
root 26 2 0 21:30 ? 00:00:00 [khugepaged]
root 27 2 0 21:30 ? 00:00:00 [fsnotify_mark]
root 28 2 0 21:30 ? 00:00:00 [crypto]
root 32 2 0 21:30 ? 00:00:00 [kpsmoused]
root 33 2 0 21:30 ? 00:00:00 [devfreq_wq]
root 34 2 0 21:30 ? 00:00:00 [kworker/1:2]
root 44 2 0 21:30 ? 00:00:00 [ata_sff]
root 47 2 0 21:30 ? 00:00:00 [scsi_eh_0]
root 48 2 0 21:30 ? 00:00:00 [scsi_eh_1]
root 49 2 0 21:30 ? 00:00:00 [scsi_eh_2]
root 50 2 0 21:30 ? 00:00:00 [scsi_eh_3]
root 51 2 0 21:30 ? 00:00:00 [scsi_eh_4]
root 52 2 0 21:30 ? 00:00:00 [scsi_eh_5]
root 58 2 0 21:30 ? 00:00:00 [kworker/u:6]
root 59 2 0 21:30 ? 00:00:00 [kworker/u:7]
root 69 2 0 21:30 ? 00:00:00 [kdmflush]
root 70 2 0 21:30 ? 00:00:00 [kdmflush]
root 71 2 0 21:30 ? 00:00:00 [kjournald]
root 98 2 0 21:31 ? 00:00:00 [kauditd]
root 131 1 0 21:31 ? 00:00:00 /sbin/udevd -d
root 882 2 0 21:31 ? 00:00:00 [scsi_eh_6]
root 885 2 0 21:31 ? 00:00:00 [scsi_eh_7]
root 1297 2 0 21:31 ? 00:00:00 [hd-audio0]
root 1605 1 19 22:41 ? 00:05:19 ls
root 1695 2 0 21:31 ? 00:00:00 [kmpathd]
root 1696 2 0 21:31 ? 00:00:00 [kmpath_handlerd]
root 1720 2 0 21:31 ? 00:00:00 [kjournald]
root 1811 2 0 21:31 ? 00:00:00 [iscsi_eh]
root 1848 2 0 21:31 ? 00:00:00 [cnic_wq]
root 1850 2 0 21:31 ? 00:00:00 [bnx2i_thread/0]
root 1855 2 0 21:31 ? 00:00:00 [bnx2i_thread/1]
root 1862 2 0 21:31 ? 00:00:00 [ib_addr]
root 1868 2 0 21:31 ? 00:00:00 [ib_mcast]
root 1870 2 0 21:31 ? 00:00:00 [iw_cm_wq]
root 1872 2 0 21:31 ? 00:00:00 [ib_cm]
root 1876 2 0 21:31 ? 00:00:00 [rdma_cm]
root 1893 1 0 21:31 ? 00:00:00 iscsiuio
root 1901 1 0 21:31 ? 00:00:00 iscsid
root 1902 1 0 21:31 ? 00:00:00 iscsid
root 2132 2 0 21:31 ? 00:00:00 [flush-253:0]
root 2198 1 0 21:31 ? 00:00:00 auditd
root 2200 2198 0 21:31 ? 00:00:00 /sbin/audispd
root 2230 1 0 21:31 ? 00:00:00 syslogd -m 0
root 2233 1 0 21:31 ? 00:00:00 klogd -x
rpc 2264 1 0 21:31 ? 00:00:00 portmap
root 2296 2 0 21:31 ? 00:00:00 [rpciod]
rpcuser 2303 1 0 21:31 ? 00:00:00 rpc.statd
root 2339 1 0 21:31 ? 00:00:00 rpc.idmapd
dbus 2369 1 0 21:31 ? 00:00:00 dbus-daemon --system
root 2405 1 0 21:31 ? 00:00:00 /usr/sbin/acpid
68 2430 1 0 21:31 ? 00:00:00 hald
root 2431 2430 0 21:31 ? 00:00:00 hald-runner
68 2440 2431 0 21:31 ? 00:00:00 hald-addon-keyboard: listening on /dev/input/event4
68 2443 2431 0 21:31 ? 00:00:00 hald-addon-keyboard: listening on /dev/input/event1
68 2446 2431 0 21:31 ? 00:00:00 hald-addon-keyboard: listening on /dev/input/event2
68 2452 2431 0 21:31 ? 00:00:00 hald-addon-keyboard: listening on /dev/input/event0
root 2492 1 0 21:31 ? 00:00:00 /usr/sbin/sshd
root 2510 1 0 21:31 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
ntp 2526 1 0 21:31 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 2569 1 0 21:31 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
mysql 2651 2569 0 21:31 ? 00:00:05 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --log-error=/var/log/mysqld.log --socket=/var/lib/mysql/mysql.sock
root 2704 2492 0 21:31 ? 00:00:00 sshd: root@notty
cyrus 2824 1 0 21:32 ? 00:00:00 /usr/lib/cyrus-imapd/cyrus-master -d
root 2830 2704 0 21:32 ? 00:00:00 /usr/libexec/openssh/sftp-server
root 2854 2492 0 21:32 ? 00:00:00 sshd: root@pts/0
cyrus 2879 1 0 21:32 ? 00:00:00 idled
cyrus 2918 2824 0 21:32 ? 00:00:00 imapd
cyrus 2919 2824 0 21:32 ? 00:00:00 imapd -s
cyrus 2920 2824 0 21:32 ? 00:00:00 pop3d
cyrus 2922 2824 0 21:32 ? 00:00:00 pop3d -s
cyrus 2923 2824 0 21:32 ? 00:00:00 lmtpd
root 2932 1 0 21:32 ? 00:00:00 /usr/libexec/postfix/master
postfix 2944 2932 0 21:32 ? 00:00:00 qmgr -l -t fifo -u
cyrus 2948 2824 0 21:32 ? 00:00:00 imapd
cyrus 2949 2824 0 21:32 ? 00:00:00 pop3d
root 2950 1 0 21:32 ? 00:00:00 /usr/sbin/httpd
cyrus 2962 2824 0 21:32 ? 00:00:00 imapd
cyrus 2963 2824 0 21:32 ? 00:00:00 imapd
cyrus 2964 2824 0 21:32 ? 00:00:00 imapd
cyrus 2965 2824 0 21:32 ? 00:00:00 pop3d
asterisk 2966 2950 0 21:32 ? 00:00:07 /usr/sbin/httpd
asterisk 2967 2950 0 21:32 ? 00:00:07 /usr/sbin/httpd
asterisk 2968 2950 0 21:32 ? 00:00:07 /usr/sbin/httpd
asterisk 2969 2950 0 21:32 ? 00:00:09 /usr/sbin/httpd
asterisk 2970 2950 0 21:32 ? 00:00:14 /usr/sbin/httpd
asterisk 2971 2950 0 21:32 ? 00:00:07 /usr/sbin/httpd
asterisk 2972 2950 0 21:32 ? 00:00:11 /usr/sbin/httpd
asterisk 2973 2950 0 21:32 ? 00:00:08 /usr/sbin/httpd
root 2984 1 0 21:32 ? 00:00:00 crond
xfs 3018 1 0 21:32 ? 00:00:00 xfs -droppriv -daemon
root 3036 2854 0 21:32 pts/0 00:00:00 -bash
asterisk 3071 1 0 21:32 ? 00:00:00 /usr/bin/php /opt/elastix/dialer/dialerd
asterisk 3084 3071 0 21:32 ? 00:00:03 /usr/bin/php /opt/elastix/dialer/dialerd
asterisk 3085 3084 0 21:32 ? 00:00:00 /usr/bin/php /opt/elastix/dialer/dialerd
root 3128 1 0 21:32 ? 00:00:00 /usr/bin/php /opt/elastix/elastix-updater/elxupdaterd
root 3144 1 0 21:32 ? 00:00:00 /usr/sbin/atd
root 3155 3128 0 21:32 ? 00:00:00 /usr/bin/php /opt/elastix/elastix-updater/elxupdaterd
uucp 3208 1 0 21:32 ? 00:00:00 /usr/sbin/faxq
uucp 3219 1 0 21:32 ? 00:00:00 /usr/sbin/hfaxd -i hylafax
root 3257 1 0 21:32 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3269 3257 0 21:32 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3270 3257 0 21:32 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3271 3257 0 21:32 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3272 3257 0 21:32 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
asterisk 3414 1 0 21:32 ? 00:00:02 /usr/bin/perl /var/www/html/admin/modules/fw_fop/op_server.pl
root 3440 1 0 21:32 tty1 00:00:00 /sbin/mingetty tty1
root 3441 1 0 21:32 tty2 00:00:00 /sbin/mingetty tty2
root 3442 1 0 21:32 tty3 00:00:00 /sbin/mingetty tty3
root 3443 1 0 21:32 tty4 00:00:00 /sbin/mingetty tty4
root 3444 1 0 21:32 tty5 00:00:00 /sbin/mingetty tty5
root 3445 1 0 21:32 tty6 00:00:00 /sbin/mingetty tty6
root 7405 1 0 23:09 ? 00:00:00 top
root 7408 1 0 23:09 ? 00:00:00 sh
root 7409 1 0 23:09 ? 00:00:00 pwd
root 7411 1 0 23:09 ? 00:00:00 sh
root 7412 1 0 23:09 ? 00:00:00 netstat -antop
root 7420 1 0 23:09 ? 00:00:00 ifconfig eth0
root 7423 1 0 23:09 ? 00:00:00 echo "find"
root 7425 1 0 23:09 ? 00:00:00 cd /etc
root 7426 1 0 23:09 ? 00:00:00 ls
root 7427 1 0 23:09 ? 00:00:00 netstat -antop
root 7428 3036 0 23:09 pts/0 00:00:00 ps -Af
asterisk 20962 3084 0 21:55 ? 00:00:00 [dialerd] <defunct>
asterisk 20966 3084 0 21:55 ? 00:00:00 [dialerd] <defunct>
asterisk 20967 3084 0 21:55 ? 00:00:00 [dialerd] <defunct>
asterisk 20968 3084 0 21:55 ? 00:00:00 [dialerd] <defunct>
root 30703 2492 0 22:31 ? 00:00:00 sshd: root@notty
root 30730 30703 0 22:31 ? 00:00:00 /usr/libexec/openssh/sftp-server
Here is a wireshark log
Here is the virus file link in /usr/bin/ directory
Here is the content of the /etc/rc.d/init.d/file
please note that zisxjpdzgj is changing every time as you see.
Code:
#!/bin/sh
# chkconfig: 12345 90 90
# description: zisxjpdzgj
### BEGIN INIT INFO
# Provides: zisxjpdzgj
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: zisxjpdzgj
### END INIT INFO
case $1 in
start)
/usr/bin/zisxjpdzgj
;;
stop)
;;
*)
/usr/bin/zisxjpdzgj
;;
esac
started even if killed, rebooted, blocked the ip using iptables.
connects 3307 port of the attacker, but the ip is changing.
My kernel is "kernel-lt-3.2.73-1.el5.elrepo.x86_64".
delete the /usr/sbin/asterisk file.
How can i find his backdoor and delete or stop it?
Thanx in advance,, |
