Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
cat /proc/version
Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Fri Nov 22 03:15:09 UTC 2013
Is my server hacked? What steps I should do to stop this? Please advise ASAP.
ITEMS="pro proh sfewfesfsh pojie DbSecuritySpt xpacket.ko libamplify.so atddd ksapdd kysapdd sksapdd skysapdd ferwfrre gfhddsfew gfhjrtfyhuf rewgtf3er4t sdmfdsfhjfe"
for ITEM in $ITEMS; do find /boot /etc /usr /tmp /var -type f -iname "*${ITEM}*" -ls; done
Also check /etc/rc.d/rc.local and /var/spool/cron/root /var/spool/cron/crontabs/root.
*If you find any do contact me (or add them to http://sourceforge.net/p/rkhunter/feature-requests/) as I'd like a copy please.
Last edited by unSpawn; 05-09-2014 at 04:57 AM.
Reason: //More *is* more
I don't think you got my question. Even if I delete the parent process, these programs restarts automatically.
You didn't talk a word about parent processes. Yes, you need to find the parent (if possible), look for the one which spawns these processes. Probably you will find a cronjob or daemon process. In such cases you need to detach the box from network too.
ITEMS="pro proh sfewfesfsh pojie DbSecuritySpt xpacket.ko libamplify.so atddd ksapdd kysapdd sksapdd skysapdd ferwfrre gfhddsfew gfhjrtfyhuf rewgtf3er4t sdmfdsfhjfe"
for ITEM in $ITEMS; do find /boot /etc /usr /tmp /var -type f -iname "*${ITEM}*" -ls; done
Also check /etc/rc.d/rc.local and /var/spool/cron/root /var/spool/cron/crontabs/root.
*If you find any do contact me (or add them to http://sourceforge.net/p/rkhunter/feature-requests/) as I'd like a copy please.
You are spot on. PFA the reports. Let me know how to remove them permanently.
This is a root compromise. There will be no restoring of backups and any other "fixing". This machine runs Xorg and GNOME and has not been maintained properly (see ancient kernel version). From the list above, unless time stamps have been modified, you cannot establish how long this compromise has been going on. This means you will have to sever network connection to the machine right now, isolate it so nobody can use it and investigate how the perp got in. Other than that it's game over: create a new machine, properly harden it before putting it into production and regularly audit its contents and logs and update software.
Apparently the way to get this is via a weak root password and sshd running. So use key based authentication if possible, and always use a strong password for root (!).
btw unspawn, I didn't know you were a big security hotshot I went to the rootkit hunter website, and I saw your name there, and I was like, hey, I know that guy! Glad you're on our team
Apparently the way to get this is via a weak root password and sshd running.
No. One shouldn't run services one doesn't need. And any account should have a strong password period.
Quote:
Originally Posted by DJ Shaji
So use key based authentication if possible, and always use a strong password for root (!).
SSH best practices include not allowing root access to any service directly (use an unprivileged account instead), limiting access and using public key authentication. There isn't any "if possible" in that nor should there be.
This machine runs Xorg and GNOME and has not been maintained properly (see ancient kernel version).
2.6.32-431 is the current CentOS 6.5 kernel, and 6.5 is the current version of the 6.x series, and the 6.x series is the current version of CentOS. He can't get any newer than that without switching to a completely different distro.
Last edited by suicidaleggroll; 05-09-2014 at 04:57 PM.
2.6.32-431 is the current CentOS 6.5 kernel, and 6.5 is the current version of the 6.x series, and the 6.x series is the current version of CentOS. He can't get any newer than that without switching to a completely different distro.
Not to go OT (I'd rather have to OP post the nfo I need) but his kernel version reads:
Code:
2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (..) #1 SMP Fri Nov 22 03:15:09 UTC 2013
which isn't:
Code:
2.6.32-431.17.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) #1 SMP Wed May 7 23:32:49 UTC 2014
Please send me the files as requested (if the concept of reciprocity means anything to you) and know by doing so you'll be helping others.
Quote:
This is a root compromise. There will be no restoring of backups and any other "fixing". (..): create a new machine, properly harden it before putting it into production and regularly audit its contents and logs and update software.
Please confirm you understand the gravity of the situation and what steps you have to take next.
If unclear: ask.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.