[SOLVED] My server hacked, delete asterisk, start even if killed
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
please note that zisxjpdzgj is changing every time as you see.
Code:
#!/bin/sh
# chkconfig: 12345 90 90
# description: zisxjpdzgj
### BEGIN INIT INFO
# Provides: zisxjpdzgj
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: zisxjpdzgj
### END INIT INFO
case $1 in
start)
/usr/bin/zisxjpdzgj
;;
stop)
;;
*)
/usr/bin/zisxjpdzgj
;;
esac
started even if killed, rebooted, blocked the ip using iptables.
connects 3307 port of the attacker, but the ip is changing.
My kernel is "kernel-lt-3.2.73-1.el5.elrepo.x86_64".
delete the /usr/sbin/asterisk file.
How can i find his backdoor and delete or stop it?
Thanx in advance,,
Last edited by hamzagad; 02-05-2016 at 04:05 PM.
Reason: added more details
I am not that expert in linux, My CentOS 5.10 "elastix 2.5" server hacked. The hacker uses my server to attack another servers so i want to stop him. (..) Here is the virus file link in /usr/bin/ directory (..) /etc/rc.d/init.d/file started even if killed, rebooted, blocked the ip using iptables. (..) How can i find his backdoor and delete or stop it?
Unfortunately for you CentOS 5.11 was released in December 2014. This means you have not kept the OS up to date as you should have, which in turn means you failed to secure against BASH, OpenSSL and other vulnerabilities that have been and are actively exploited In The Wild. On top of that Elastix 2.5 shows a 2015 SQL injection vulnerability as well, meaning I seriously question what else may be wrong with your machine.
As for the symptoms: behaviour like the changing process name, the use of a SysV init script, continuation-on-delete, etc, etc all point to the BillGates botnet (haven't got the malwaremustdie.org link at the ready so here's another one: https://securelist.com/analysis/publ...jan-for-linux/). (RKH CVS comes with an imperfect, experimental ClamAV sig rkhunter/files/signatures/RKH_BillGates.ldb BTW.) Dropping files in root owned directories like /usr/bin and /etc/rc.d tells you just that: the perp needs root privileges to be able to do that. Meaning there is no way you will "fix", "clean up" or "correct" this situation.
What's more is that BillGates botnet is used to harm other Netizens. So until you isolate the machine from the network you are a hazard to others. Please act now.
What to do? Inform users the machine was compromised and have them revoke any credentials and private keys used. Use CentOS 6 current, do a clean install (do not use a backup to "restore" anything that is not human readable and inspected) and then harden properly first before adding services and allowing public access.
Should you have any questions on what to secure and how, please first read the CentOS or Red Hat Admin Guide security section and afterwards as questions, OK? Good luck!
will install fail2ban, changing the ports of ssh and https.
also will fix the vulnerabilities by updating, complexing the passwords, and will try activating geo ip-tables
It's part of what you should do but it isn't the order in which you should do things. Changing SSH and HTTPS ports does not make sense. I do hope you actually took the time to read the CentOS Admin Guide?
I'm wondering why you didn't pull this server off of the network and then conduct your analysis?
In all the years I've been doing incident handling I may have met a person once or twice who already offlined a machine. Unfortunately new Linux users as well as seasone admins (yes) tend to make newbie mistakes when confronted with a breach of security.
Quote:
Originally Posted by JockVSJock
I believe Kali has tools that can create a snapshot of memory and allow to troubleshoot from there.
That's nice but it isn't the first thing to do and you don't need Kali or Volatility to do it.
It's part of what you should do but it isn't the order in which you should do things. Changing SSH and HTTPS ports does not make sense. I do hope you actually took the time to read the CentOS Admin Guide?
Will read it of course, and these actions are just the beginning.
In the past, the forensics that I've done, the 1st thing that I did was pull the CAT5 out of the NIC and capture what is running in RAM.
What then is your recommendation?
In the field compliance, approved lawful seizure, uncertaintly, speed and such may make a forensic investigator decide otherwise but I think this case (even though that's mainly due to the OP being able to present an accurate description of anomalous behaviour) illustrates there is no need for disproportionate acquisition of evidence. Another thing is that it won't be you who will be performing acquisition but a user, at best an admin, without formal training let alone practical experience. Last I do not agree you can fob off such a task onto clueless users saying
Quote:
I'm sure there are tutorials online that could help.
That's not what we're here for, that's not how I want to see incident handling done in this forum and that's not how we've done things the past decade and a half.
Now most of the cases we've handled here have external infection vectors meaning "the usual" applies: exploiting a weakness, elevating privileges, dropping payloads. Meaning changed DAC, MAC times and obviously anomalous entities provide a good starting point. Not saying there is a simple answer. In the past I started by posting a list of things to do (I'm sorry but you'll have to search older threads for it until I repost) and equally important: asking questions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.