LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-05-2016, 03:55 PM   #1
hamzagad
LQ Newbie
 
Registered: Feb 2016
Location: cairo
Distribution: CentOS 5.10
Posts: 8

Rep: Reputation: 0
My server hacked, delete asterisk, start even if killed


Dear all:

I am not that expert in linux, My CentOS 5.10 "elastix 2.5" server hacked.
The hacker uses my server to attack another servers so i want to stop him.

Here is "netstat -np" result :

Code:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 192.168.1.201:22            192.168.1.77:64984          ESTABLISHED 2704/sshd           
tcp        0      1 192.168.1.201:58401         103.240.141.67:3307         SYN_SENT    1605/ls             
tcp        0      0 192.168.1.201:22            192.168.1.77:50366          ESTABLISHED 30703/sshd          
tcp        0     52 192.168.1.201:22            192.168.1.77:64985          ESTABLISHED 2854/sshd           
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ]         DGRAM                    9557   2879/idled          /var/lib/imap/socket/idle
unix  2      [ ]         DGRAM                    8046   2430/hald           @/org/freedesktop/hal/udev_event
unix  29     [ ]         DGRAM                    8337   2230/syslogd        /dev/log
unix  2      [ ]         DGRAM                    1242   131/udevd           @/org/kernel/udev/udevd
unix  2      [ ]         DGRAM                    126513 7589/local          
unix  2      [ ]         DGRAM                    126503 7588/trivial-rewrit 
unix  3      [ ]         STREAM     CONNECTED     126509 7588/trivial-rewrit private/rewrite
unix  3      [ ]         STREAM     CONNECTED     126500 7587/cleanup        
unix  2      [ ]         DGRAM                    126493 7587/cleanup        
unix  2      [ ]         DGRAM                    126484 7586/pickup         
unix  3      [ ]         STREAM     CONNECTED     99282  30703/sshd          
unix  3      [ ]         STREAM     CONNECTED     99281  30730/sftp-server   
unix  3      [ ]         STREAM     CONNECTED     99280  30703/sshd          
unix  3      [ ]         STREAM     CONNECTED     99279  30730/sftp-server   
unix  2      [ ]         DGRAM                    10773  3257/saslauthd      
unix  2      [ ]         DGRAM                    10703  3219/hfaxd          
unix  2      [ ]         DGRAM                    11783  3208/faxq           
unix  3      [ ]         STREAM     CONNECTED     10497  3085/php            
unix  3      [ ]         STREAM     CONNECTED     10496  3084/php            
unix  2      [ ]         DGRAM                    9776   2965/pop3d          
unix  2      [ ]         DGRAM                    10468  2964/imapd          
unix  2      [ ]         DGRAM                    10467  2962/imapd          
unix  2      [ ]         DGRAM                    9773   2963/imapd          
unix  2      [ ]         DGRAM                    9761   2965/pop3d          
unix  2      [ ]         DGRAM                    10458  2964/imapd          
unix  2      [ ]         DGRAM                    9737   2962/imapd          
unix  2      [ ]         DGRAM                    10426  2963/imapd          
unix  2      [ ]         DGRAM                    10403  2948/imapd          
unix  2      [ ]         DGRAM                    10375  2984/crond          
unix  2      [ ]         DGRAM                    10355  2948/imapd          
unix  2      [ ]         DGRAM                    10352  2949/pop3d          
unix  2      [ ]         DGRAM                    10350  2923/lmtpd          
unix  2      [ ]         DGRAM                    9693   2854/sshd           
unix  2      [ ]         DGRAM                    10320  2922/pop3d          
unix  2      [ ]         DGRAM                    9683   2919/imapd          
unix  2      [ ]         DGRAM                    9681   2920/pop3d          
unix  2      [ ]         DGRAM                    10318  2918/imapd          
unix  2      [ ]         DGRAM                    9675   2944/qmgr           
unix  2      [ ]         DGRAM                    9672   2949/pop3d          
unix  3      [ ]         STREAM     CONNECTED     10294  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10293  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10291  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10290  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10288  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10287  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10285  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10284  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10282  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10281  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10279  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10278  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10276  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10275  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10273  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10272  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10270  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10269  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10267  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10266  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10264  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10263  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10261  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10260  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10258  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10257  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10255  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10254  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10252  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10251  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10249  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10248  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10246  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10245  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10243  2932/master         
unix  3      [ ]         STREAM     CONNECTED     10242  2932/master         
unix  3      [ ]         STREAM     CONNECTED     9216   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9215   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9213   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9212   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9210   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9209   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9207   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9206   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9204   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9203   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9201   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9200   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9652   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9651   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9650   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9649   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9647   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9646   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9645   2932/master         
unix  3      [ ]         STREAM     CONNECTED     9644   2932/master         
unix  2      [ ]         DGRAM                    9636   2932/master         
unix  2      [ ]         DGRAM                    9194   2923/lmtpd          
unix  2      [ ]         DGRAM                    9631   2922/pop3d          
unix  2      [ ]         DGRAM                    9193   2920/pop3d          
unix  2      [ ]         DGRAM                    9628   2919/imapd          
unix  2      [ ]         DGRAM                    9190   2918/imapd          
unix  3      [ ]         STREAM     CONNECTED     9050   2704/sshd           
unix  3      [ ]         STREAM     CONNECTED     9049   2830/sftp-server    
unix  3      [ ]         STREAM     CONNECTED     9048   2704/sshd           
unix  3      [ ]         STREAM     CONNECTED     9047   2830/sftp-server    
unix  2      [ ]         DGRAM                    9026   2824/cyrus-master   
unix  2      [ ]         DGRAM                    9282   2526/ntpd           
unix  2      [ ]         DGRAM                    8814   2510/xinetd         
unix  3      [ ]         STREAM     CONNECTED     8772   2369/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8104   2430/hald           
unix  3      [ ]         STREAM     CONNECTED     8090   2430/hald           @/var/run/hald/dbus-kK4wQ5iGTz
unix  3      [ ]         STREAM     CONNECTED     8758   2452/hald-addon-key 
unix  3      [ ]         STREAM     CONNECTED     8079   2430/hald           @/var/run/hald/dbus-kK4wQ5iGTz
unix  3      [ ]         STREAM     CONNECTED     8744   2446/hald-addon-key 
unix  3      [ ]         STREAM     CONNECTED     8072   2430/hald           @/var/run/hald/dbus-kK4wQ5iGTz
unix  3      [ ]         STREAM     CONNECTED     8736   2443/hald-addon-key 
unix  3      [ ]         STREAM     CONNECTED     8065   2430/hald           @/var/run/hald/dbus-kK4wQ5iGTz
unix  3      [ ]         STREAM     CONNECTED     8728   2440/hald-addon-key 
unix  3      [ ]         STREAM     CONNECTED     8041   2430/hald           @/var/run/hald/dbus-KXXMP6ZpiG
unix  3      [ ]         STREAM     CONNECTED     8716   2431/hald-runner    
unix  3      [ ]         STREAM     CONNECTED     7994   2369/dbus-daemon    
unix  3      [ ]         STREAM     CONNECTED     7993   2369/dbus-daemon    
unix  3      [ ]         STREAM     CONNECTED     7949   2339/rpc.idmapd     
unix  3      [ ]         STREAM     CONNECTED     7948   2339/rpc.idmapd     
unix  2      [ ]         DGRAM                    7896   2303/rpc.statd      
unix  2      [ ]         DGRAM                    7832   2233/klogd          
unix  3      [ ]         STREAM     CONNECTED     7793   2198/auditd         
unix  3      [ ]         STREAM     CONNECTED     7792   2200/audispd
Here is "netstat -antop" result:

Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name    Timer
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      2824/cyrus-master   off (0.00/0/0)
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      2824/cyrus-master   off (0.00/0/0)
tcp        0      0 127.0.0.1:20004             0.0.0.0:*                   LISTEN      3155/php            off (0.00/0/0)
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      2651/mysqld         off (0.00/0/0)
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      2824/cyrus-master   off (0.00/0/0)
tcp        0      0 0.0.0.0:4559                0.0.0.0:*                   LISTEN      3219/hfaxd          off (0.00/0/0)
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      2824/cyrus-master   off (0.00/0/0)
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2264/portmap        off (0.00/0/0)
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      2950/httpd          off (0.00/0/0)
tcp        0      0 0.0.0.0:789                 0.0.0.0:*                   LISTEN      2303/rpc.statd      off (0.00/0/0)
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2492/sshd           off (0.00/0/0)
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2932/master         off (0.00/0/0)
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      2950/httpd          off (0.00/0/0)
tcp        0      0 0.0.0.0:4445                0.0.0.0:*                   LISTEN      3414/perl           off (0.00/0/0)
tcp        0      0 0.0.0.0:4190                0.0.0.0:*                   LISTEN      2824/cyrus-master   off (0.00/0/0)
tcp        0      1 192.168.1.201:46453         103.240.140.152:3307        SYN_SENT    1605/ls             on (1.03/1/0)
tcp        0      0 192.168.1.201:22            192.168.1.77:64984          ESTABLISHED 2704/sshd           keepalive (279.94/0/0)
tcp        0      0 192.168.1.201:22            192.168.1.77:50366          ESTABLISHED 30703/sshd          keepalive (3834.73/0/0)
tcp        0   2284 192.168.1.201:22            192.168.1.77:64985          ESTABLISHED 2854/sshd           on (0.36/0/0)
Here is "ps -Af" result: the red marked executed by the hacker or its script.

Code:
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 21:30 ?        00:00:04 init [3]                                   
root         2     0  0 21:30 ?        00:00:00 [kthreadd]
root         3     2  0 21:30 ?        00:00:00 [ksoftirqd/0]
root         4     2  0 21:30 ?        00:00:00 [kworker/0:0]
root         6     2  0 21:30 ?        00:00:00 [migration/0]
root         7     2  0 21:30 ?        00:00:00 [watchdog/0]
root         8     2  0 21:30 ?        00:00:00 [migration/1]
root        10     2  0 21:30 ?        00:00:00 [ksoftirqd/1]
root        11     2  0 21:30 ?        00:00:00 [kworker/0:1]
root        12     2  0 21:30 ?        00:00:00 [watchdog/1]
root        13     2  0 21:30 ?        00:00:00 [cpuset]
root        14     2  0 21:30 ?        00:00:00 [khelper]
root        15     2  0 21:30 ?        00:00:00 [kdevtmpfs]
root        16     2  0 21:30 ?        00:00:00 [netns]
root        17     2  0 21:30 ?        00:00:00 [sync_supers]
root        18     2  0 21:30 ?        00:00:00 [bdi-default]
root        19     2  0 21:30 ?        00:00:00 [kblockd]
root        20     2  0 21:30 ?        00:00:00 [kworker/1:1]
root        21     2  0 21:30 ?        00:00:00 [khubd]
root        22     2  0 21:30 ?        00:00:00 [md]
root        23     2  0 21:30 ?        00:00:00 [khungtaskd]
root        24     2  0 21:30 ?        00:00:00 [kswapd0]
root        25     2  0 21:30 ?        00:00:00 [ksmd]
root        26     2  0 21:30 ?        00:00:00 [khugepaged]
root        27     2  0 21:30 ?        00:00:00 [fsnotify_mark]
root        28     2  0 21:30 ?        00:00:00 [crypto]
root        32     2  0 21:30 ?        00:00:00 [kpsmoused]
root        33     2  0 21:30 ?        00:00:00 [devfreq_wq]
root        34     2  0 21:30 ?        00:00:00 [kworker/1:2]
root        44     2  0 21:30 ?        00:00:00 [ata_sff]
root        47     2  0 21:30 ?        00:00:00 [scsi_eh_0]
root        48     2  0 21:30 ?        00:00:00 [scsi_eh_1]
root        49     2  0 21:30 ?        00:00:00 [scsi_eh_2]
root        50     2  0 21:30 ?        00:00:00 [scsi_eh_3]
root        51     2  0 21:30 ?        00:00:00 [scsi_eh_4]
root        52     2  0 21:30 ?        00:00:00 [scsi_eh_5]
root        58     2  0 21:30 ?        00:00:00 [kworker/u:6]
root        59     2  0 21:30 ?        00:00:00 [kworker/u:7]
root        69     2  0 21:30 ?        00:00:00 [kdmflush]
root        70     2  0 21:30 ?        00:00:00 [kdmflush]
root        71     2  0 21:30 ?        00:00:00 [kjournald]
root        98     2  0 21:31 ?        00:00:00 [kauditd]
root       131     1  0 21:31 ?        00:00:00 /sbin/udevd -d
root       882     2  0 21:31 ?        00:00:00 [scsi_eh_6]
root       885     2  0 21:31 ?        00:00:00 [scsi_eh_7]
root      1297     2  0 21:31 ?        00:00:00 [hd-audio0]
root      1605     1 19 22:41 ?        00:05:19 ls                 
root      1695     2  0 21:31 ?        00:00:00 [kmpathd]
root      1696     2  0 21:31 ?        00:00:00 [kmpath_handlerd]
root      1720     2  0 21:31 ?        00:00:00 [kjournald]
root      1811     2  0 21:31 ?        00:00:00 [iscsi_eh]
root      1848     2  0 21:31 ?        00:00:00 [cnic_wq]
root      1850     2  0 21:31 ?        00:00:00 [bnx2i_thread/0]
root      1855     2  0 21:31 ?        00:00:00 [bnx2i_thread/1]
root      1862     2  0 21:31 ?        00:00:00 [ib_addr]
root      1868     2  0 21:31 ?        00:00:00 [ib_mcast]
root      1870     2  0 21:31 ?        00:00:00 [iw_cm_wq]
root      1872     2  0 21:31 ?        00:00:00 [ib_cm]
root      1876     2  0 21:31 ?        00:00:00 [rdma_cm]
root      1893     1  0 21:31 ?        00:00:00 iscsiuio
root      1901     1  0 21:31 ?        00:00:00 iscsid
root      1902     1  0 21:31 ?        00:00:00 iscsid
root      2132     2  0 21:31 ?        00:00:00 [flush-253:0]
root      2198     1  0 21:31 ?        00:00:00 auditd
root      2200  2198  0 21:31 ?        00:00:00 /sbin/audispd
root      2230     1  0 21:31 ?        00:00:00 syslogd -m 0
root      2233     1  0 21:31 ?        00:00:00 klogd -x
rpc       2264     1  0 21:31 ?        00:00:00 portmap
root      2296     2  0 21:31 ?        00:00:00 [rpciod]
rpcuser   2303     1  0 21:31 ?        00:00:00 rpc.statd
root      2339     1  0 21:31 ?        00:00:00 rpc.idmapd
dbus      2369     1  0 21:31 ?        00:00:00 dbus-daemon --system
root      2405     1  0 21:31 ?        00:00:00 /usr/sbin/acpid
68        2430     1  0 21:31 ?        00:00:00 hald
root      2431  2430  0 21:31 ?        00:00:00 hald-runner
68        2440  2431  0 21:31 ?        00:00:00 hald-addon-keyboard: listening on /dev/input/event4
68        2443  2431  0 21:31 ?        00:00:00 hald-addon-keyboard: listening on /dev/input/event1
68        2446  2431  0 21:31 ?        00:00:00 hald-addon-keyboard: listening on /dev/input/event2
68        2452  2431  0 21:31 ?        00:00:00 hald-addon-keyboard: listening on /dev/input/event0
root      2492     1  0 21:31 ?        00:00:00 /usr/sbin/sshd
root      2510     1  0 21:31 ?        00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
ntp       2526     1  0 21:31 ?        00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root      2569     1  0 21:31 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
mysql     2651  2569  0 21:31 ?        00:00:05 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --log-error=/var/log/mysqld.log --socket=/var/lib/mysql/mysql.sock
root      2704  2492  0 21:31 ?        00:00:00 sshd: root@notty 
cyrus     2824     1  0 21:32 ?        00:00:00 /usr/lib/cyrus-imapd/cyrus-master -d
root      2830  2704  0 21:32 ?        00:00:00 /usr/libexec/openssh/sftp-server
root      2854  2492  0 21:32 ?        00:00:00 sshd: root@pts/0 
cyrus     2879     1  0 21:32 ?        00:00:00 idled
cyrus     2918  2824  0 21:32 ?        00:00:00 imapd
cyrus     2919  2824  0 21:32 ?        00:00:00 imapd -s
cyrus     2920  2824  0 21:32 ?        00:00:00 pop3d
cyrus     2922  2824  0 21:32 ?        00:00:00 pop3d -s
cyrus     2923  2824  0 21:32 ?        00:00:00 lmtpd
root      2932     1  0 21:32 ?        00:00:00 /usr/libexec/postfix/master
postfix   2944  2932  0 21:32 ?        00:00:00 qmgr -l -t fifo -u
cyrus     2948  2824  0 21:32 ?        00:00:00 imapd
cyrus     2949  2824  0 21:32 ?        00:00:00 pop3d
root      2950     1  0 21:32 ?        00:00:00 /usr/sbin/httpd
cyrus     2962  2824  0 21:32 ?        00:00:00 imapd
cyrus     2963  2824  0 21:32 ?        00:00:00 imapd
cyrus     2964  2824  0 21:32 ?        00:00:00 imapd
cyrus     2965  2824  0 21:32 ?        00:00:00 pop3d
asterisk  2966  2950  0 21:32 ?        00:00:07 /usr/sbin/httpd
asterisk  2967  2950  0 21:32 ?        00:00:07 /usr/sbin/httpd
asterisk  2968  2950  0 21:32 ?        00:00:07 /usr/sbin/httpd
asterisk  2969  2950  0 21:32 ?        00:00:09 /usr/sbin/httpd
asterisk  2970  2950  0 21:32 ?        00:00:14 /usr/sbin/httpd
asterisk  2971  2950  0 21:32 ?        00:00:07 /usr/sbin/httpd
asterisk  2972  2950  0 21:32 ?        00:00:11 /usr/sbin/httpd
asterisk  2973  2950  0 21:32 ?        00:00:08 /usr/sbin/httpd
root      2984     1  0 21:32 ?        00:00:00 crond
xfs       3018     1  0 21:32 ?        00:00:00 xfs -droppriv -daemon
root      3036  2854  0 21:32 pts/0    00:00:00 -bash
asterisk  3071     1  0 21:32 ?        00:00:00 /usr/bin/php /opt/elastix/dialer/dialerd
asterisk  3084  3071  0 21:32 ?        00:00:03 /usr/bin/php /opt/elastix/dialer/dialerd
asterisk  3085  3084  0 21:32 ?        00:00:00 /usr/bin/php /opt/elastix/dialer/dialerd
root      3128     1  0 21:32 ?        00:00:00 /usr/bin/php /opt/elastix/elastix-updater/elxupdaterd
root      3144     1  0 21:32 ?        00:00:00 /usr/sbin/atd
root      3155  3128  0 21:32 ?        00:00:00 /usr/bin/php /opt/elastix/elastix-updater/elxupdaterd
uucp      3208     1  0 21:32 ?        00:00:00 /usr/sbin/faxq
uucp      3219     1  0 21:32 ?        00:00:00 /usr/sbin/hfaxd -i hylafax
root      3257     1  0 21:32 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root      3269  3257  0 21:32 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root      3270  3257  0 21:32 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root      3271  3257  0 21:32 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root      3272  3257  0 21:32 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
asterisk  3414     1  0 21:32 ?        00:00:02 /usr/bin/perl /var/www/html/admin/modules/fw_fop/op_server.pl
root      3440     1  0 21:32 tty1     00:00:00 /sbin/mingetty tty1
root      3441     1  0 21:32 tty2     00:00:00 /sbin/mingetty tty2
root      3442     1  0 21:32 tty3     00:00:00 /sbin/mingetty tty3
root      3443     1  0 21:32 tty4     00:00:00 /sbin/mingetty tty4
root      3444     1  0 21:32 tty5     00:00:00 /sbin/mingetty tty5
root      3445     1  0 21:32 tty6     00:00:00 /sbin/mingetty tty6
root      7405     1  0 23:09 ?        00:00:00 top                         
root      7408     1  0 23:09 ?        00:00:00 sh                         
root      7409     1  0 23:09 ?        00:00:00 pwd                         
root      7411     1  0 23:09 ?        00:00:00 sh                         
root      7412     1  0 23:09 ?        00:00:00 netstat -antop                         
root      7420     1  0 23:09 ?        00:00:00 ifconfig eth0                         
root      7423     1  0 23:09 ?        00:00:00 echo "find"                         
root      7425     1  0 23:09 ?        00:00:00 cd /etc                         
root      7426     1  0 23:09 ?        00:00:00 ls                         
root      7427     1  0 23:09 ?        00:00:00 netstat -antop                         
root      7428  3036  0 23:09 pts/0    00:00:00 ps -Af
asterisk 20962  3084  0 21:55 ?        00:00:00 [dialerd] <defunct>
asterisk 20966  3084  0 21:55 ?        00:00:00 [dialerd] <defunct>
asterisk 20967  3084  0 21:55 ?        00:00:00 [dialerd] <defunct>
asterisk 20968  3084  0 21:55 ?        00:00:00 [dialerd] <defunct>
root     30703  2492  0 22:31 ?        00:00:00 sshd: root@notty 
root     30730 30703  0 22:31 ?        00:00:00 /usr/libexec/openssh/sftp-server
Here is a wireshark log

Here is the virus file link in /usr/bin/ directory

Here is the content of the /etc/rc.d/init.d/file

please note that zisxjpdzgj is changing every time as you see.
Code:
#!/bin/sh
# chkconfig: 12345 90 90
# description: zisxjpdzgj
### BEGIN INIT INFO
# Provides:		zisxjpdzgj
# Required-Start:	
# Required-Stop:	
# Default-Start:	1 2 3 4 5
# Default-Stop:		
# Short-Description:	zisxjpdzgj
### END INIT INFO
case $1 in
start)
	/usr/bin/zisxjpdzgj
	;;
stop)
	;;
*)
	/usr/bin/zisxjpdzgj
	;;
esac
started even if killed, rebooted, blocked the ip using iptables.
connects 3307 port of the attacker, but the ip is changing.
My kernel is "kernel-lt-3.2.73-1.el5.elrepo.x86_64".
delete the /usr/sbin/asterisk file.



How can i find his backdoor and delete or stop it?
Thanx in advance,,

Last edited by hamzagad; 02-05-2016 at 04:05 PM. Reason: added more details
 
Old 02-05-2016, 04:41 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Have you run rkhunter?

Are you familiar with it?
 
1 members found this post helpful.
Old 02-06-2016, 02:52 AM   #3
hamzagad
LQ Newbie
 
Registered: Feb 2016
Location: cairo
Distribution: CentOS 5.10
Posts: 8

Original Poster
Rep: Reputation: 0
Yes I did, it is warning at: Checking for enabled xinetd services
and here is the final result
Code:
File properties checks...
    Required commands check failed
    Files checked: 133
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 312
    Possible rootkits: 0
Here is the full log file

Thanks for your help
 
Old 02-06-2016, 05:59 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by hamzagad View Post
I am not that expert in linux, My CentOS 5.10 "elastix 2.5" server hacked. The hacker uses my server to attack another servers so i want to stop him. (..) Here is the virus file link in /usr/bin/ directory (..) /etc/rc.d/init.d/file started even if killed, rebooted, blocked the ip using iptables. (..) How can i find his backdoor and delete or stop it?
Unfortunately for you CentOS 5.11 was released in December 2014. This means you have not kept the OS up to date as you should have, which in turn means you failed to secure against BASH, OpenSSL and other vulnerabilities that have been and are actively exploited In The Wild. On top of that Elastix 2.5 shows a 2015 SQL injection vulnerability as well, meaning I seriously question what else may be wrong with your machine.

As for the symptoms: behaviour like the changing process name, the use of a SysV init script, continuation-on-delete, etc, etc all point to the BillGates botnet (haven't got the malwaremustdie.org link at the ready so here's another one: https://securelist.com/analysis/publ...jan-for-linux/). (RKH CVS comes with an imperfect, experimental ClamAV sig rkhunter/files/signatures/RKH_BillGates.ldb BTW.) Dropping files in root owned directories like /usr/bin and /etc/rc.d tells you just that: the perp needs root privileges to be able to do that. Meaning there is no way you will "fix", "clean up" or "correct" this situation.

What's more is that BillGates botnet is used to harm other Netizens. So until you isolate the machine from the network you are a hazard to others. Please act now.

What to do? Inform users the machine was compromised and have them revoke any credentials and private keys used. Use CentOS 6 current, do a clean install (do not use a backup to "restore" anything that is not human readable and inspected) and then harden properly first before adding services and allowing public access.
 
1 members found this post helpful.
Old 02-06-2016, 06:17 AM   #5
hamzagad
LQ Newbie
 
Registered: Feb 2016
Location: cairo
Distribution: CentOS 5.10
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
what else may be wrong with your machine.
i will reinstall from scratch

Thank you unSpawn
 
Old 02-06-2016, 06:24 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Should you have any questions on what to secure and how, please first read the CentOS or Red Hat Admin Guide security section and afterwards as questions, OK? Good luck!
 
1 members found this post helpful.
Old 02-06-2016, 06:34 AM   #7
hamzagad
LQ Newbie
 
Registered: Feb 2016
Location: cairo
Distribution: CentOS 5.10
Posts: 8

Original Poster
Rep: Reputation: 0
will install fail2ban, changing the ports of ssh and https.
also will fix the vulnerabilities by updating, complexing the passwords, and will try activating geo ip-tables

I think this mix will be enough.

Thanks for the declaration and hope you the best.
 
Old 02-06-2016, 09:36 AM   #8
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
I'm wondering why you didn't pull this server off of the network and then conduct your analysis?

I believe Kali has tools that can create a snapshot of memory and allow to troubleshoot from there.
 
1 members found this post helpful.
Old 02-06-2016, 11:43 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by hamzagad View Post
I think this mix will be enough.
It's part of what you should do but it isn't the order in which you should do things. Changing SSH and HTTPS ports does not make sense. I do hope you actually took the time to read the CentOS Admin Guide?
 
1 members found this post helpful.
Old 02-06-2016, 11:46 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by JockVSJock View Post
I'm wondering why you didn't pull this server off of the network and then conduct your analysis?
In all the years I've been doing incident handling I may have met a person once or twice who already offlined a machine. Unfortunately new Linux users as well as seasone admins (yes) tend to make newbie mistakes when confronted with a breach of security.


Quote:
Originally Posted by JockVSJock View Post
I believe Kali has tools that can create a snapshot of memory and allow to troubleshoot from there.
That's nice but it isn't the first thing to do and you don't need Kali or Volatility to do it.
 
1 members found this post helpful.
Old 02-06-2016, 12:03 PM   #11
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by unSpawn View Post

That's nice but it isn't the first thing to do and you don't need Kali or Volatility to do it.
In the past, the forensics that I've done, the 1st thing that I did was pull the CAT5 out of the NIC and capture what is running in RAM.

What then is your recommendation?
 
1 members found this post helpful.
Old 02-06-2016, 12:41 PM   #12
hamzagad
LQ Newbie
 
Registered: Feb 2016
Location: cairo
Distribution: CentOS 5.10
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by JockVSJock View Post
I'm wondering why you didn't pull this server off of the network and then conduct your analysis?

I believe Kali has tools that can create a snapshot of memory and allow to troubleshoot from there.
My level of knowledge about Linux is not enough to perform this analysis
 
Old 02-06-2016, 12:44 PM   #13
hamzagad
LQ Newbie
 
Registered: Feb 2016
Location: cairo
Distribution: CentOS 5.10
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
It's part of what you should do but it isn't the order in which you should do things. Changing SSH and HTTPS ports does not make sense. I do hope you actually took the time to read the CentOS Admin Guide?
Will read it of course, and these actions are just the beginning.

Thanks for your attention again.
 
Old 02-06-2016, 07:17 PM   #14
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by hamzagad View Post
My level of knowledge about Linux is not enough to perform this analysis
I'm sure there are tutorials online that could help. You just have to be willing to roll up you sleeves, make some mistakes and learn from them.

That's why we are all here, to learn.
 
1 members found this post helpful.
Old 02-10-2016, 01:01 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by JockVSJock View Post
In the past, the forensics that I've done, the 1st thing that I did was pull the CAT5 out of the NIC and capture what is running in RAM.

What then is your recommendation?
In the field compliance, approved lawful seizure, uncertaintly, speed and such may make a forensic investigator decide otherwise but I think this case (even though that's mainly due to the OP being able to present an accurate description of anomalous behaviour) illustrates there is no need for disproportionate acquisition of evidence. Another thing is that it won't be you who will be performing acquisition but a user, at best an admin, without formal training let alone practical experience. Last I do not agree you can fob off such a task onto clueless users saying
Quote:
I'm sure there are tutorials online that could help.
That's not what we're here for, that's not how I want to see incident handling done in this forum and that's not how we've done things the past decade and a half.

Now most of the cases we've handled here have external infection vectors meaning "the usual" applies: exploiting a weakness, elevating privileges, dropping payloads. Meaning changed DAC, MAC times and obviously anomalous entities provide a good starting point. Not saying there is a simple answer. In the past I started by posting a list of things to do (I'm sorry but you'll have to search older threads for it until I repost) and equally important: asking questions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Asterisk PBX hacked - looking to make sure all holes are closed simonmason Linux - Security 12 10-05-2010 07:41 AM
Site definitely hacked. Can't delete files to restore backup. painterj Linux - Security 9 04-10-2010 07:38 AM
Help to Delete older Files on asterisk n33d Linux - Server 3 06-05-2008 08:20 PM
How to start asterisk ? frenchn00b Linux - General 8 04-25-2008 03:39 PM
Hacked sshd, and can't delete it ?!?! trubi Linux - Security 2 03-04-2004 09:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration