Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2001

    How to trace the hacker?

    I've noticed that my RH 9 box had been rooted.

    chkrootkit and rkhunter report that there are traces of several rootkits installed.

    First I tried to clean manually following the recipes found on this forum and elsewhere on the net, but I could not do even the first steps (I could not save /etc/rc.d/rc.sysinit after removing xntps from it - why? I don't know)

    So, I decided to choose the way many seem to prefer - asking a reinstall of the OS and setting up things from backups.

    Before I ask for the format, though, it would be nice to find out something about the possible gate for my guests and also what they are doing and who they are.

    Is it possible to trace them somehow?

    I noticed two possible clues:
    1) Clue 1
    In /root/bash_history I find
    ./c4 -h
    ./c4 -h
    ./c4 -h
    ./c4 -d 200.158.70 -s 200


    chmod +x f3
    ./f3 65535 151551
    ./f3 65535 151515
    ./f3 65535 151515

    Both c4 and f3 now sit in /usr/.../ and I figure they are used for DOS-like things:
    C4 (v.442) '02 by live
    et cetera
    FUDEDOR (v3.0) by bonny - PRIVATE!@#!
    et cetera

    Could be involved in this activity or would they be victims?

    2) Clue 2
    This can be found on 3 out of the ~10 domains on the box. According to apache access logs 2 or 3 computers from India visited this file.

    How can I find out more? Is there any programmes that would help me?

    Thank you for your thoughts.


  2. #2
    Join Date
    May 2003

    The shell.php is most likely the entrance point, I've seen it myself before on our demo account before we locked it down.

    Sounds like they found a site your hosting that has an exploit and used it to upload the shell.php , and then after that, used the shell to download and execute the rootkits.

    Its also possible that you offer a demo acct and since cpanel isnt the best at securing demo accounts, they couldve easily uploaded the shell script. If you do offer a demo account, do 'chmod 000 /home/demoacct' to make it so no files can be in there.

    Unfortunately, sounds like they are in India, and you wont be able to do much about it if that is the situation.

  3. #3
    Join Date
    Mar 2003
    California USA
    just a suggestion, get a os reinstall.
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  4. #4
    Join Date
    Feb 2004
    He's right. Once a server is compromised (in my mind) you can never be completely secure in the fact that there's no installed backdoor in there somewhere. Reinstall.

    As for tracing him, the days that you can catch a hacker outside the country are few and far between.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts