IRCD while doing netstat... after being hacked. Need help. = *(
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IRCD while doing netstat... after being hacked. Need help. = *(
A couple of days ago I discovered a hacker had installed pscan2 on my web server. I found the files and deleted then ran chkrootkit and everything seemed to be fine.
I've been paying pretty close attention to the webserver lately and today to my surprise while running netstat I found the following connections:
Code:
tcp 0 0 internal:http cpe-74-66-2-136.n:52224 ESTABLISHED
tcp 0 0 internal:http cpe-74-66-2-136.n:52227 ESTABLISHED
tcp 0 0 internal:50462 mesa.az.us.underne:ircd TIME_WAIT
tcp 0 0 internal:http cpe-74-66-2-136.n:52130 TIME_WAIT
tcp 0 0 internal:44830 quakenet2.underwor:ircd ESTABLISHED
tcp 0 0 internal:http crawl-66-249-71-1:48998 ESTABLISHED
tcp 0 0 internal:44846 83.140.172.212:ircd ESTABLISHED
tcp 0 0 internal:http cpe-74-66-2-136.n:52212 TIME_WAIT
tcp 0 0 internal:http cpe-74-66-2-136.n:52215 TIME_WAIT
tcp 0 0 web.xxxxxxxxx:ssh 172.16.38.141:1954 ESTABLISHED
tcp 0 132 web.xxxxxxxx:ssh 172.16.38.141:21934 ESTABLISHED
tcp 0 0 internal:http cpe-74-66-2-136.n:52166 TIME_WAIT
tcp 0 2747 internal:http us-nj-smtpgw2-1.p:16867 ESTABLISHED
tcp 0 0 internal:38795 efnet.as6453.net:6665 ESTABLISHED
tcp 0 0 internal:50472 195.144.12.5:6669 ESTABLISHED
tcp 0 0 internal:34479 efnet.as6453.net:6665 ESTABLISHED
tcp 0 1 web.xxxxxxxxx:50465 mesa.az.us.underne:ircd SYN_SENT
tcp 0 1 web.xxxxxxx:50466 zagreb.hr.eu.under:9999 SYN_SENT
tcp 0 0 internal:44938 efnet.as6453.net:ircd ESTABLISHED
tcp 0 1 web.xxxxxxx:50467 irc2.saunalahti.fi:6669 SYN_SENT
As you can see there are a couple of ircd connections going on there. To my knowledge my server has been acting pretty normal lately and I do not see any processes running that should not be running.
But now if I run netstat --inet -ape I get something very scary.
First unplug your system, it's probably clearly been compromised. Then go scan the Security forum for tips on what to do next as these types of questions are asked all the time. But you're machine is most likely untrustworthy. The longer it's still on the net, the more damage it can do.
Thank you for moving the thread and sorry for posting it in the wrong forum.
Anyway so I have looked at the processes behind these tcp/udp connections and they seem to have started a week ago when I had the "cracker" intrusion. That means the cracker, to the best of knowledge, has not started new processes since the intrusion.
Apparently I did get rid of the problem but there where still some extraneous processes he seems to have started. I have been checking my logs by the minute and I did see an attempt from him to come back November the 17th but he was unsuccessful as I had changed his password and deleted the account he used to get in which was some sort of test account I had on my system.
That said, I have also traced the cracker and found a couple of his servers including a web server where he stores a bunch of tools and even some incriminating log files. I am about to report this to the FBI as I saw he is a scammer and had a paypal phishing file amongst a lot more incriminating information.
Any advise? It's my first time dealing with something like this. By the way I have an exact snapshot of my server from right after he made his attack.
Is the web server for personal use, or used by your employer?
Is there personal information on it?
Do you need to collect evidence in a forensically sound manner for court, or do you just want to get it up and running again?
What services were exposed to the internet?
Were you keeping it patched or not using a strong password?
What have you done so far since detecting it?
-It is owned by my employer.
-Luckily no personal information is stored in the server.
-The server is actually up and running and seems to be fine now. I have no interest in going to court about this but I do want to report his hideout to the feds as he seems to have a criminal record in the USA, or so it says on one of the chat logs I found in the server he sues to store his tools.
-What services where exposed? well pretty much just http and ssh.
-He was able to log in guessing a password for a test account... i think it might have been the work of a worm.
-Since detecting it I have cleaned up my servers, got rid of the account he created and the account with the weak password and got rid of an invisible directory he created with a couple tools to scan the web. I found out about the compromised because I was getting Huge traffic logs, and it turned out he had been scanning the internet for more computers with weak ssh passwords.
Wow...he's joining IRC servers as root. Because of that, I would expect even more badness to happen. I'd keep a sharp eye on this machine (or just disconnect the machine from the network or internet).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.