Results 1 to 10 of 10
  1. #1
    Join Date
    Jul 2004
    Posts
    46

    suspicious files on server

    Recently my dedicated server went down and i had to reboot it to get it back online.

    I asked server admin people to check the reason of the same and they said :

    We have found files on your machine that appear to be owned by 'root' which is signs of compromise. We highly recommend you submit an OS Reload request for to further correct the issue, as there might be miss-leading processes running that are malicious in nature.

    root@jearaide [/tmp]# ll |egrep -v 'horde|impatt|core|cpanel|mysql|theme|iroha|sess|305|mt-throttle|jd|exim|lost'

    total 17020

    drwxrwxrwt 5 root root 65536 Jun 24 23:42 ./

    drwxr-xr-x 23 root root 4096 Jun 3 13:46 ../

    ---------- 1 root root 1623 Jun 6 22:01 back

    drwx------ 2 root root 4096 Jun 23 17:47 clamav-partial/

    ---------- 1 root root 28402 Jan 17 21:30 elflbl

    ---------- 1 root root 5208 Jun 6 21:58 ex

    ---------- 1 root root 28528 Jun 3 21:30 root


    =============

    Now os reloading wil cause all data to be lost and i don't have anybackup also...

    can u suggest me a way to solve this problem owithout osreload...

    or if you think that osreload is necessary than what should i do and how?

  2. #2
    elflbl is a known exploit and probably your box was compromised. There are tools to find some rootkits but not all.

    Also, check your logs to see how that file got there. You might have a vulnerable script.

  3. #3
    Join Date
    Jul 2004
    Posts
    46
    i checked with chkrootkit but i don't find any file detected as suspicious??

    can u help me plz...

    where is the log file located on server through which i can check form where that suspicisous file came here?

  4. #4
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    Do you have a second hard disk on the server? Back up all accounts to that and restore them after the OS Reload. Then, find any outdated scripts and update them. Is your provider fully managed (including server hardening)? If not, get a server admin to lock it down for you.

    Thanks,
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  5. #5
    Join Date
    Jul 2004
    Posts
    46
    yes i have second hardidk on server...
    can u tell me which folders shall i take backup on it and how??

    also tellme if i am going toi get osreload than how much time my server will be offline??

    and than in that case do i again need to do the settings in whm and instyall fantastico and everything as i did when i get the fresh server??

    Your help is appreciated.

  6. #6
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    Sorry, but I don't really have time to help further. You shouldn't even need to post here if you had your own server admin.

    Thanks,
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  7. #7
    Join Date
    Jun 2003
    Posts
    976
    Hosting Champ:
    install and run rootkit hunter from http://www.rootkit.nl/projects/rootkit_hunter.html

  8. #8
    Join Date
    Dec 2003
    Location
    Sunny So. Calif.
    Posts
    213
    also tellme if i am going toi get osreload than how much time my server will be offline??
    That depends on how long it takes to backup things, have the reload done, and to get the backed up items put back in place and everything checked.

    You really sound like you need to hire an experienced admin! After the reload, your server needs to be locked down IMMEDIATELY or else it may be compromised again in a short time.

    Better to do it right, rather than lose your business due to repeated server outages!

  9. #9
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    You really sound like you need to hire an experienced admin! After the reload, your server needs to be locked down IMMEDIATELY or else it may be compromised again in a short time.
    I agree 100% there, but there are a couple of points to be made.
    Firstly, security isn't about one time and it's done. Hacks appear daily, and unless you know 100% of what you're doing, you not only need to have your server secured once, but you need to have that admin keep on the server to see what the problems are and could be.

    Secondly, it's possible (not likely, but possible) that you don't need an OS reload. Again, without having an experienced admin look @ your server, you'll never know.

    The first step you must take, as others have said is to find a server admin. Without that, you run a lot more risk of being just shut down than with it. Make SURE you ask the right questions of them, as in what they do, etc, and how certain things will be covered, because many "server admin's" out there simply run root checks and assume your server is secure. That's nowhere near complete.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  10. #10
    Greetings:

    chkrootkit and rkhunter only check for root kits; they do not catch other forms of hacking.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •