Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Come on! Someone MUST have a 550 Raq here

[anvis.com]

Is anyone here have a RAQ 550 running, can you compare your files in the sbin dir with mine - Let me know ASAP........



MY .12 server sbin dir
-rwxr-xr-x 1 root root 494675 Nov 21 2001 xfs_repair
-rwxr-xr-x 1 root root 490559 Mar 20 2001 insmod.static
-rwxr-xr-x 3 root root 433647 Aug 9 2001 e2fsck
-rwxr-xr-x 3 root root 433647 Aug 9 2001 fsck.ext2
-rwxr-xr-x 3 root root 433647 Aug 9 2001 fsck.ext3
-rwxr-xr-x 1 root root 383007 Jan 8 2002 ldconfig
-rwxr-xr-x 1 root root 345267 Nov 21 2001 xfsrestore
-rwxr-xr-x 1 root root 338143 Jan 8 2002 sln
-rwxr-xr-x 1 root root 276499 Nov 21 2001 xfsdump
-rwxr-xr-x 1 root root 248415 Nov 21 2001 mkfs.xfs
-rwxr-xr-x 1 root root 98739 Mar 20 2001 insmod
-rwxr-xr-x 1 root root 98035 Sep 15 2000 dhclient

MY .10 server sbin dir
-rwxr-xr-x 1 root root 485916 Nov 21 2001 xfs_repair
-rwxr-xr-x 1 root root 481800 Mar 20 2001 insmod.static
-rwxr-xr-x 3 root root 424888 Aug 9 2001 e2fsck
-rwxr-xr-x 3 root root 424888 Aug 9 2001 fsck.ext2
-rwxr-xr-x 3 root root 424888 Aug 9 2001 fsck.ext3
-rwxr-xr-x 1 root root 374248 Jan 8 2002 ldconfig
-rwxr-xr-x 1 root root 336508 Nov 21 2001 xfsrestore
-rwxr-xr-x 1 root root 329384 Jan 8 2002 sln
-rwxr-xr-x 1 root root 267740 Nov 21 2001 xfsdump
-rwxr-xr-x 1 root root 239656 Nov 21 2001 mkfs.xfs
-rwxr-xr-x 1 root root 89980 Mar 20 2001 insmod
-rwxr-xr-x 1 root root 89276 Sep 15 2000 dhclient

[BruceT]

Here's mine (fully patched):

-rwxr-xr-x 1 root root 485916 Nov 21 2001 xfs_repair*
-rwxr-xr-x 1 root root 481800 Mar 20 2001 insmod.static*
-rwxr-xr-x 3 root root 424888 Aug 8 2001 e2fsck*
-rwxr-xr-x 3 root root 424888 Aug 8 2001 fsck.ext2*
-rwxr-xr-x 3 root root 424888 Aug 8 2001 fsck.ext3*
-rwxr-xr-x 1 root root 374248 Jan 8 2002 ldconfig*
-rwxr-xr-x 1 root root 336508 Nov 21 2001 xfsrestore*
-rwxr-xr-x 1 root root 329384 Jan 8 2002 sln*
-rwxr-xr-x 1 root root 267740 Nov 21 2001 xfsdump*
-rwxr-xr-x 1 root root 239656 Nov 21 2001 mkfs.xfs*
-rwxr-xr-x 1 root root 89980 Mar 20 2001 insmod*
-rwxr-xr-x 1 root root 89276 Sep 15 2000 dhclient*

I have a lot more stuff in my directory than what you have listed here though... any reason you're only checking these couple of binaries?

[anvis.com]

Yes, I used ls -lS and picked the top 12..

Thanks for the info....

Your files match my .10 server just as I though it would... I have reason to beleive that my .12 server has been comped., now I know it for sure..

I have 3 550 servers and 2 match and the .12 does not.. it must be comped...

Thanks again.... anyone else would like to let me know also to double confirm, I would appreciate it...

Anyone who would like these comped files and look into it, let me know and I will email them to you..

We have been dealing with a hacker for the last month, and this server was cleaned and all security gShield etc placed on it..

I think he comped it during the 5 miniutes it take for gSheild to start after boot up... Our port 3049 is running pidof, but I thing the firewall is stopping from doing anything else..

Thanks...

Mark Sr.
Sr@anvis.com

[BruceT]

It was an external hack? Or someone with a shell account on the box already? "Internal" compromises are far easier and more prevalent than a root-level hole from the outside...

Did you do searches for things beginning with ".", no valid user or group owner, suid permissions set, etc?

[anvis.com]

Bruce,

He has comped 6 of our servers and we have been cleaning them up...

New OS all patches and a complete firewall system from Raqport..

He still has access to one of my servers, but that will be fixed in a few days..

We also ordered the SonicWall 330 from Firewalls.com, and should be inplace by Wednesday.

The .12 has been comped, exactly when I do not know... Maybe prior to Raqports Firewall actually had a chence to get loaded.

He continues to ssh to the box thru server thru RIPES IP's mostly.. But is being denied.

This is what clued me to it... On the other servers that were comped, he seemed to use port 3049 for IRC.

It's late I'm tired. I like to kill this prick.
udp *:3049 28900/pidof

Thanks for listning.

Mark Sr.

[anvis.com]

It would ne nice if other Raq 550 owners would post their /sbin files resilts here also, so I may compare them

Thanks..

[Nology]

total 5884
-rwxr-xr-x 1 root root 11128 Apr 12 2002 adm1029ctl
-rwxr-xr-x 1 root root 12908 Jul 31 2002 agetty
-rwxr-xr-x 1 root root 38908 Jun 14 2000 arp
-rwxr-xr-x 1 root root 10104 Aug 28 2001 arping
-rwxr-xr-x 1 root root 13560 Aug 9 2001 badblocks
-rwxr-xr-x 1 root root 5760 Jul 31 2002 blockdev
-rwxr-xr-x 1 root root 6416 Apr 5 2002 bw_setip
-rwxr-xr-x 1 root root 43788 Jul 31 2002 cfdisk
-rwxr-xr-x 1 root root 22912 Mar 9 2000 chkconfig
lrwxr-xr-x 1 root root 7 Sep 20 11:09 clock -> hwclock
-rwxr-x--- 1 root root 4888 Sep 21 2001 consoled
-rwxr-xr-x 1 root root 3636 Jul 31 2002 ctrlaltdel
-rwxr-xr-x 1 root root 44784 Aug 9 2001 debugfs
-rwxr-xr-x 1 root root 51964 Mar 20 2001 depmod
-rwxr-xr-x 1 root root 89276 Sep 15 2000 dhclient
-rwxr-xr-x 1 root root 8632 Aug 9 2001 dumpe2fs
-rwxr-xr-x 3 root root 424888 Aug 9 2001 e2fsck
-rwxr-xr-x 2 root root 16200 Aug 9 2001 e2label
-rwxr-xr-x 1 root root 4824 Jul 31 2002 elvtune
-rwxr-xr-x 1 root root 72076 Jul 31 2002 fdisk
-rwxr-xr-x 1 root root 16464 Aug 9 2001 fsck
-rwxr-xr-x 3 root root 424888 Aug 9 2001 fsck.ext2
-rwxr-xr-x 3 root root 424888 Aug 9 2001 fsck.ext3
-rwxr-xr-x 1 root root 16044 Jul 31 2002 fsck.minix
-rwxr-xr-x 1 root root 2472 Nov 22 2001 fsck.xfs
-rwxr-xr-x 1 root root 14756 Feb 5 2000 fuser
-rwxr-xr-x 1 root root 34012 Mar 20 2001 genksyms
-rwxr-xr-x 1 root root 32440 Apr 27 2000 getty
-rwxr-xr-x 1 root root 7248 Sep 7 2001 halt
-rwxr-xr-x 1 root root 28604 Nov 1 2001 hdparm
-rwxr-xr-x 1 root root 29988 Jul 31 2002 hwclock
-rwxr-xr-x 1 root root 49488 Jun 14 2000 ifconfig
lrwxr-xr-x 1 root root 37 Sep 20 11:11 ifdown -> /etc/sysconfig/network-scripts/ifdown
-rwxr-xr-x 1 root root 11568 Aug 28 2001 ifenslave
lrwxr-xr-x 1 root root 35 Sep 20 11:11 ifup -> /etc/sysconfig/network-scripts/ifup
-rwxr-xr-x 1 root root 27356 Sep 7 2001 init
-rwxr-xr-x 1 root root 89980 Mar 20 2001 insmod
-rwxr-xr-x 1 root root 359 Mar 20 2001 insmod_ksymoops_clean
-rwxr-xr-x 1 root root 481800 Mar 20 2001 insmod.static
-rwxr-xr-x 1 root root 75144 Feb 10 2000 install-info
-rwxr-xr-x 1 root root 38620 Apr 21 2001 ipchains
-rwxr-xr-x 1 root root 3019 Apr 21 2001 ipchains-restore
-rwxr-xr-x 1 root root 4112 Apr 21 2001 ipchains-save
lrwxr-xr-x 1 root root 21 Sep 20 11:13 ipfwadm -> /sbin/ipfwadm-wrapper
-rwxr-xr-x 1 root root 21953 Apr 21 2001 ipfwadm-wrapper
-rwxr-xr-x 1 root root 10360 Jun 14 2000 ipmaddr
-rwxr-xr-x 1 root root 5708 Mar 14 2002 ipnmgw
-rwxr-xr-x 1 root root 14532 Jun 14 2000 iptunnel
lrwxr-xr-x 1 root root 6 Sep 20 11:09 kallsyms -> insmod
-rwxr-xr-x 1 root root 5612 Jul 31 2002 kbdrate
-rwxr-xr-x 1 root root 451 Mar 20 2001 kernelversion
-rwxr-xr-x 1 root root 8580 Sep 7 2001 killall5
-rwxr-xr-x 1 root root 21080 Sep 27 2000 klogd
lrwxr-xr-x 1 root root 6 Sep 20 11:09 ksyms -> insmod
-rwxr-xr-x 1 root root 7708 Mar 14 2002 lcd-flash
-rwxr-xr-x 1 root root 10108 Mar 14 2002 lcd-getip
-rwxr-xr-x 1 root root 9372 Mar 14 2002 lcd-getpass
-rwxr-xr-x 1 root root 2798 Mar 14 2002 lcd-menu
-rwxr-xr-x 1 root root 9116 Mar 14 2002 lcdsleep
-rwxr-xr-x 1 root root 34 Mar 14 2002 lcdstart
-rwxr-xr-x 1 root root 406 Mar 14 2002 lcdstop
-rwxr-xr-x 1 root root 7740 Mar 14 2002 lcd-swrite
-rwxr-xr-x 1 root root 7708 Mar 14 2002 lcd-write
-rwxr-xr-x 1 root root 9916 Mar 14 2002 lcd-yesno
-rwxr-xr-x 1 root root 374248 Jan 9 2002 ldconfig
-rwxr-xr-x 1 root root 5516 Mar 14 2002 led-write
-rwxr-xr-x 1 root root 5644 Mar 14 2002 link
-rwxr-xr-x 1 root root 5548 Mar 14 2002 linkstatus
-rwxr-xr-x 1 root root 9236 Mar 27 2001 losetup
lrwxr-xr-x 1 root root 6 Sep 20 11:09 lsmod -> insmod
-rwxr-xr-x 1 root root 34464 Oct 11 2000 lspci
-rwx------ 1 root root 74352 Sep 8 2000 mgetty
-rwxr-xr-x 1 root root 8112 Feb 4 2000 mingetty
-rwxr-xr-x 2 root root 23792 Aug 9 2001 mke2fs
-rwxr-xr-x 1 root root 4780 Jul 31 2002 mkfs
-rwxr-xr-x 1 root root 7384 Jul 31 2002 mkfs.bfs
-rwxr-xr-x 2 root root 23792 Aug 9 2001 mkfs.ext2
-rwxr-xr-x 1 root root 12940 Jul 31 2002 mkfs.minix
-rwxr-xr-x 1 root root 239656 Nov 22 2001 mkfs.xfs
-rwxr-xr-x 1 root root 8987 Mar 23 2001 mkinitrd
-rwxr-xr-x 1 root root 28372 May 10 2000 mkpv
-rwxr-xr-x 1 root root 30516 May 10 2000 mkraid
-rwxr-xr-x 1 root root 8628 Jul 31 2002 mkswap
-rwxr-xr-x 1 root root 39708 Mar 20 2001 modinfo
lrwxr-xr-x 1 root root 6 Sep 20 11:09 modprobe -> insmod
lrwxr-xr-x 1 root root 17 Sep 20 11:17 mount.smb -> /usr/bin/smbmount
lrwxr-xr-x 1 root root 17 Sep 20 11:17 mount.smbfs -> /usr/bin/smbmount
-rwxr-xr-x 1 root root 6724 Mar 23 2001 nash
-rwxr-xr-x 1 root root 3896 Mar 1 2002 netreport
-rwxr-xr-x 1 root root 17256 Feb 8 2002 nvram
-rwxr-xr-x 1 root root 7220 Aug 7 2001 pam_tally
lrwxr-xr-x 1 root root 8 Sep 20 11:09 pidof -> killall5
-rwxr-xr-x 1 root root 5072 Jun 14 2000 plipconfig
-rwxr-xr-x 1 root root 29384 Nov 2 1999 portmap
lrwxr-xr-x 1 root root 4 Sep 20 11:09 poweroff -> halt
-r-sr-xr-x 1 root root 15984 Aug 7 2001 pwdb_chkpwd
-r-xr-xr-x 1 root root 52828 Aug 8 2001 quotacheck
lrwxr-xr-x 1 root root 7 Sep 20 11:10 quotaoff -> quotaon
-r-xr-xr-x 1 root root 39004 Aug 8 2001 quotaon
lrwxr-xr-x 1 root root 6 Sep 20 11:10 raid0run -> mkraid
lrwxr-xr-x 1 root root 9 Sep 20 11:10 raidhotadd -> raidstart
lrwxr-xr-x 1 root root 9 Sep 20 11:10 raidhotremove -> raidstart
lrwxr-xr-x 1 root root 9 Sep 20 11:10 raidsetfaulty -> raidstart
lrwxr-xr-x 1 root root 9 Sep 20 11:10 raidsetwo -> raidstart
-rwxr-xr-x 1 root root 19600 May 10 2000 raidstart
lrwxr-xr-x 1 root root 9 Sep 20 11:10 raidstop -> raidstart
-rwxr-xr-x 1 root root 17240 Jun 14 2000 rarp
-rwxr-xr-x 1 root root 5676 Mar 14 2002 readbutton
lrwxr-xr-x 1 root root 4 Sep 20 11:09 reboot -> halt
-rwxr-xr-x 1 root root 18952 Aug 9 2001 resize2fs
lrwxr-xr-x 1 root root 6 Sep 20 11:09 rmmod -> insmod
-rwxr-xr-x 1 root root 41304 Jun 14 2000 route
-rwxr-xr-x 1 root root 7088 Oct 17 2001 rpcdebug
-rwxr-xr-x 1 root root 3260 Oct 17 2001 rpc.lockd
-rwxr-xr-x 1 root root 46000 Oct 17 2001 rpc.statd
-rwxr-xr-x 1 root root 219 Mar 14 2002 ruleflush
-rwxr-xr-x 1 root root 2992 Sep 7 2001 runlevel
-rwxr-xr-x 1 root root 21976 Oct 11 2000 setpci
-rwxr-xr-x 1 root root 45740 Jul 31 2002 sfdisk
-rwxr-xr-x 1 root root 14812 Sep 7 2001 shutdown
-rwxr-xr-x 1 root root 21252 Jun 14 2000 slattach
-rwxr-xr-x 1 root root 329384 Jan 9 2002 sln
-rwxr-xr-x 1 root root 8956 Sep 7 2001 sulogin
lrwxr-xr-x 1 root root 6 Sep 20 11:09 swapoff -> swapon
-rwxr-xr-x 1 root root 6180 Mar 27 2001 swapon
-r-xr-xr-x 1 root root 8160 Apr 4 2002 sysctl
-rwxr-xr-x 1 root root 27112 Sep 27 2000 syslogd
lrwxr-xr-x 1 root root 4 Sep 20 11:09 telinit -> init
-rwxr-xr-x 2 root root 16200 Aug 9 2001 tune2fs
-r-sr-xr-x 1 root root 16456 Aug 7 2001 unix_chkpwd
-rwxr-xr-x 1 root root 7412 Feb 4 2000 update
-rwxr-xr-x 1 root root 35248 Apr 27 2000 uugetty
-rwxr-xr-x 1 root root 4384 Nov 22 2001 xfsdq
-rwxr-xr-x 1 root root 267740 Nov 22 2001 xfsdump
-rwxr-xr-x 1 root root 485916 Nov 22 2001 xfs_repair
-rwxr-xr-x 1 root root 336508 Nov 22 2001 xfsrestore