Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-25-2010, 07:57 AM   #1
LQ Newbie
Registered: Apr 2010
Posts: 5

Rep: Reputation: 0
Server cracked - casper.txt, psy.tar.gz

My site - - suddenly went down yesterday. I am on holiday in Brazil and I got a txt from the centre saying they couldn't access. I got back to my son's apartment and logged on. Browser gave message site not available server error. It is on a hosted system. I ftp'd and found it had been wiped and there were a new set of files there casper.txt, ckrid1.txt, gue, psy.tar.gz amongst others. On trying to edit the index.php file there I found it contained a message that this site has been blocked and it aslso contained another address. I set up a virtual host on my managed vps, changed the A record in dns to point to it and put up a page to explain to visitors what has happened. That was not accessible but also another site which I had on that vps -, a site raising money for a hospice by a long distance cycle ride, suddenly went down as well. FTP shows that everything is still there, but it's inaccessible now via the web.
I don't know what to do. It seems like the domain name is poisoning dns. Please can anyone offer help and advice. The hosted site - I have no real root access to do a thorough cleansing and the managed vps is such that I cannot do a reformat etc. The vps is running Centos
Old 06-25-2010, 09:29 AM   #2
LQ Guru
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 15,074

Rep: Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088Reputation: 2088
Complain loud as hell to your provider if you've no root access. It's probable _they_ were hacked, not you. Move the site if they don't come onside at once. They should have logs, and know who was scanning them. Also probable they were running old software so they made the hacker's job handier.

Your dns is weird. I am getting for I'm in Ireland. Here's my traceroute to
traceroute to (, 30 hops max, 46 byte packets
1 13.321 ms 11.200 ms 9.815 ms
2 11.675 ms 22.785 ms 11.552 ms
3 115.676 ms 198.302 ms 189.415 ms
4 27.579 ms 33.356 ms 36.061 ms
5 27.411 ms 27.357 ms 31.227 ms
6 28.528 ms 27.267 ms 27.698 ms
7 28.596 ms 26.099 ms 27.513 ms
8 46.751 ms 28.978 ms 37.162 ms
9 29.113 ms 28.422 ms 38.338 ms
10 29.294 ms 28.540 ms 29.664 ms

if that helps any, it seems dns is ok; at least I can reach the ip.
bash-3.1$ traceroute -ni wlan0
traceroute to (, 30 hops max, 46 byte packets
1 * 10.534 ms 10.834 ms
2 110.646 ms 59.584 ms 11.339 ms
3 161.051 ms 203.248 ms 204.098 ms
4 40.119 ms 35.831 ms 36.155 ms
5 28.230 ms 27.412 ms 27.798 ms
6 31.332 ms 32.579 ms 28.607 ms
7 29.204 ms 27.896 ms 29.160 ms
8 31.126 ms 41.163 ms 32.617 ms
9 31.290 ms 29.192 ms 28.871 ms
10 32.535 ms 29.306 ms 28.814 ms
1 members found this post helpful.
Old 06-25-2010, 10:57 AM   #3
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
I'm gonna have to agree with business_kid on this one. Your options are highly limited if you've no root access. Every share on that machine is possibly impacted. Call up your hoster ASAP. I've actually been in this situation sucks!
1 members found this post helpful.
Old 06-26-2010, 05:40 AM   #4
LQ Newbie
Registered: Apr 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Many thanks for the replies. I am moving to a vps elsewhere. I am also going to sort my own nameservers out and so no longer be reliant on the previous supplier. Will post update when/if I find an answer to what has really happened
Old 06-29-2010, 02:39 AM   #5
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
In addition to what's been said before, finding an IRC bot package, "Casper Bot Search", related and other files on your system means somebody managed to find and exploit a vulnerability in some software you run. Meaning your web stack is as solid as the holes in Swiss cheese. Meaning doing something like restoring a recent backup elsewhere is a waste of time. Before resurrecting your site elsewhere please ensure you run the latest version of the software you use and harden your O.S. and web stack properly.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Has my linux server been hacked/cracked/attacked? jsalelle Linux - Security 11 12-31-2009 03:11 AM
cat onelinefile.txt >> newfile.txt; cat twofile.txt >> newfile.txt keep newline? tmcguinness Programming 4 02-12-2009 06:38 AM
script cracked my server kav Linux - Security 3 08-26-2008 12:08 PM
LXer: PostPath cracked Exchange protocols for Postfix-based mail server LXer Syndicated Linux News 0 07-30-2008 09:12 PM
cracked or not cracked (tripwire & chrootkit) ddaas Linux - Security 1 04-27-2005 07:29 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:45 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration