Results 1 to 9 of 9
  1. #1

    found psyBNC in my server under 1 acc

    what should i do ?
    and i can't go to that directory.

    what should i do





    quote:
    --------------------------------------------------------------------------------


    gorgole was running [psyBNC] the process claimed to be [sendmail:
    accepting connections
    ? c-leet]
    The binary is located at: /var/tmp/.../vi

    gorgole was running [psyBNC] the process claimed to be [sendmail:
    accepting connections
    ? c-leet]
    The binary is located at: /var/tmp/.../vi
    http://www.adwis.net

  2. #2
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,616
    Kick the user, delete the account check if the server has been comprimised

    Rus
    Russ Foster - Industry Curmudgeon
    Freelance Sysadmin for Hire - email vaserv@gmail.com

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    /var/tmp/.../vi


    that doesnt look to good. Do you have an old kernel on the box? Have you secured the server any? Do you get anything when you run:

    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    i dont know how to delete & clean this problem.
    do you have any step by step instruction, please..
    http://www.adwis.net

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Well unfortuantly its not a step by step thing. You could be rooted and have a backdoor, or it could be simple and just as a user. But in any case you should setup some measures to help prevent this in the future.

    it can be as simple as rm -rf /var/tmp/.../ BUT i seriously suggest you hire someone to check it out before you remove the files so they can evaluate whats going on. There are many companys out there that can do this.

    serverwizards
    easyservermanagement
    wemanageservers
    rackaid
    etc
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Apr 2001
    Location
    FL, USA
    Posts
    949
    Do not just remove the files!!! Those files are clues to when and who placed the bot on your system. If you must stop the bot immediately, dump netstat and ps screens to a text file. They can all be very useful in diagnosing who put the file on your system and when it was started. Also, hackers like to call files one thing when they actually do another.

    In this situation, you should verify the inegrity of netstat and check for unusually ports. An external portscan would be useful as well in case there are modules altering the netstat results.

    If the owner of the file is apache or root, then you may have been hacked. Tools like chkrootkit and rkhunter can be helpful but do not subsitute for a throrough security scan.

    We save you time, money, and frustration by handling the server management tasks required to run an online business successfully.
    No prodding required. We just do it right the first time. Red Hat, MySQL, Plesk, and cPanel certified staff.

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Huck it depends on the control panel as to what the file will be owned by, for example cpanel's apache runs as the user nobody.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Join Date
    Apr 2001
    Location
    FL, USA
    Posts
    949
    Yeah, I know that. I should have been more specific and said owned by the apache's user id or group id. I was speaking of apache in a generic sense. I've seen many different uid's for apache including but not limited to:
    apache
    httpd
    http
    httpdssl
    httpds
    admserv
    server
    and a few more......

    We save you time, money, and frustration by handling the server management tasks required to run an online business successfully.
    No prodding required. We just do it right the first time. Red Hat, MySQL, Plesk, and cPanel certified staff.

  9. #9
    Join Date
    Mar 2004
    Location
    Singapore
    Posts
    6,990
    I suggest just reformat and reinstall to be 100% safe , u wont know if u have backdoors

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •