Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
My Linux Server got hacked and a bot got installed on it. So far, I have removed every nginx process and file from my server and I am blocking all of the ports accept 80 and a randomly chosen port for SSH. Is anybody familiar with this and know of other things that I can do to remove this and figure out if it is still running?
An IP hosted on your server, *##.##.###.##*, has been blacklisted by Spamhaus (http://www.spamhaus.org/sbl/query/SBL187854). Unfortunately, because this is a violation of our AUP, and because the listing is negatively affecting other customers the listing must be immediately removed.
Please ensure that this listing has been removed by *Wednesday, June 19th*. Failure to remove this listing may result in the suspension of your server. Please update this ticket as soon as the listing has been removed.
##.##.###.##/32 is listed on the Spamhaus Block List - SBL
2013-06-15 20:16:59 GMT | SR32 | rackspace.com
Asprox botnet controller @##.##.###.## [compromised webserver]
The host at this IP address has been compromised by cybercriminals who have installed a malicious nginx-daemon at ##.##.###.##2 on port 8080 TCP. This nginx daemon is acting as malware botnet controller, used to control computers infected with a spambot called "Asprox".
Asproxy botnet controller located here:
AS number: AS19994
AS name: RACKSPACE - Rackspace Hosting
To get this issue resolved, the malicious nginx daemon needs to be removed from this host. In addition, additional steps needs to be taken to secure the system and ensure that it doesn't get compromised again (further instructions below).
Attention: The host at this IP address seems to be compromised/hijacked. Before you ask for removal of this listing, please ensure that:
1) All malicious files/processes have been removed/terminated
2) The password of the responsible user/FTP account has been changed (if you don't do this the issue will likely re-appear)
3) The customers personal computer has been scanned with an up to date Anti-Virus Software
4) All system software (IIS, Apache, PHP, Perl etc) is up to date
5) Any installed Content Management Software (CMS, like Wordpress, Joomla, Typo3 etc) as well as all installed 3rd party plugins are up to date
In addition, please ensure that you have secured your SSH access by hardening the SSH daemon and changing the password. A short guid how to secure SSH can be found here:
Please consider that if you ignore the steps described above the issue will most likely re-appear and the IP address will get re-listed on Spamhaus SBL! Simply deleting the malicious file / process will *NOT* solve this issue!
Last edited by unSpawn; 06-17-2013 at 07:03 PM.
Reason: //Add vBB code tags
typically if your server gets hacked, then get what specific data you need and format reinstall the OS from scratch and lock it down with the proper implementation of both IPTables and SELinux along with proper permissions and your sshd.conf to never allow root to log in via ssh. lock it down as tight as you can.
typically if your server gets hacked, then get what specific data you need and format reinstall the OS from scratch
Typically when a server gets compromised one should first mitigate, then investigate, then reinstall and harden. Mitigation keeps contamination from spreading and investigation shows the point(s) of entry. Without proper investigation the OP learns nothing and the loophole may well be exposed again.
My Linux Server got hacked and a bot got installed on it.
- When did this happen?
- What's the distribution and release version?
- Was system software kept up to date?
- What services are / where exposed?
- What software did you run on your web server and was it kept up to date?
Originally Posted by AdamCox9
So far, I have removed every nginx process and file from my server
Deleting files seems to be a natural reflex for new and seasoned admins alike. Unfortunately this only aids the cracker by covering up and hampering any investigation. Preserving files by creating a backup before deleting them ensures evidence is available should you or somebody else wish to investigate the situation. Without investigation you will remain clueless of how the cracker got in. Should you still have user shell history, login records, system and daemon log files (included archived ones), crontabs and other (recently?) modified files available then I suggest you copy them to another machine and run Logwatch on them. Should you have made a backup of files them I'm always interested.
Originally Posted by AdamCox9
and I am blocking all of the ports accept 80 and a randomly chosen port for SSH. Is anybody familiar with this and know of other things that I can do to remove this and figure out if it is still running?
thank you for sharing the snippets of the code executed by the hackers to install the nginx proxy.
Based on the scripts:
1) remove the nginx from /etc/rc.local to prevent restart of it with next reboot
2) backup+remove /opt/nginx-1.2.6.tar.gz /opt/nginx-1.2.6
3) backup+remove /usr/sbin/nginx /etc/nginx/nginx.conf /var/run/nginx.pid /var/log/nginx/error.log /var/log/nginx/access.log /etc/nginx
I believe crucial points to prevent re-infection in your case:
1) change root password
2) check thouroughly the machines where root password was used - there is high chance that keylogger is installed there
I would be happy if you can share any other info/logs regardig Asprox on email <rebus (at) seznam.cz>
---------- Post added 07-11-13 at 02:43 PM ----------