Results 1 to 10 of 10
  1. #1

    owner of malicious files are root

    Today, I saw /tmp directory in my server had some malicious files, so I will delete them all!

    Which I had surprise before remove them, I saw permision owner of this files are 'root' , usually I saw permision of malicious files are 'nobody'

    -rwxrwxrwx 1 root root 19242 Mar 18 21:18 r0nin*
    -rw-r--r-- 1 root root 19242 Mar 18 21:18 r0nin.1
    -rw-r--r-- 1 root root 1089 Feb 26 2001 udp.pl

    my questions :
    1. From where or what this hacker can change permission files from 'nobody' to 'root'?
    2. Are this files more dangeous rather than 'nobody'' owner?

    Thank you

  2. #2
    It means you box was rooted ie. the hacker has full access. The only solution is to reinstall the OS and patch all holes.

  3. #3
    Join Date
    Jul 2005
    Location
    Missouri, USA
    Posts
    3

    Wow...

    No one in here will tell you how the person got into your server because no one knows (maybe). And if you want to know if those files are any threat to you, you should google the files, or just look at the code inside the files (would of been nice if you posted it in here but whatever) and see if it's any danger to you.

    EDIT
    "The only solution is to reinstall the OS and patch all holes."

    That is not the only solution... there are many other ways of solving this problem. If he had done some research he would know.

  4. #4
    No it is the only solution because whoever put those files there already has root access...

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    AS1990C if the box is rooted, the only responsible way to resolve it, is to reload the os. Hackers and put backdoors all over the box and you would never know.. chkrootkit and rkhunter do not pickup pam backdoors.. which are getting pretty common.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Jun 2001
    Posts
    596
    The good ole R0n1n backdoor......

    Sometimes you get this as one of your rather daily use commands have been swapped with new instructions to invoke something else to open a backdoor while you are in root.

    but then again there are a zillion reasons how you could have been hacked.

    check if your ssh is up to date....

    and go reformat...


    p.s a smart hacker would put couple backdoors, yet he will help you secure the server from other hackers. LOL.

  7. #7
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Can you paste the output of uname -a
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  8. #8
    I pay every month to a company which offer security management to protect this server
    I saw their offers ::
    CHKRootKit
    RootKit Hunter
    TMP Directory hardening ( /tmp, /var/tmp, /dev/shm)
    Password scan -
    Securing and Upgrading of SSH Server
    APF Firewall
    BFD
    LibSafe Installation
    Log Analysis Software Installation
    SPRI
    Apache HTTP optimization
    MySQL optimization
    host.conf hardenening
    nsswitch.conf modification
    sysctl.conf hardening
    Removal of unused software
    MyTOP
    MultiTail

    And after check my server, their staff said : "now your server is safe"

    My questions: are there (founded) scripts which can change permision "the owner of files" via /tmp on this present?

    thank you

  9. #9
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Hello,

    If the user is root then they have rooted your server.

    The fact that files where left in /tmp when they where root is very strange, please paste the output of uname -a so we can see what kernel you where running.


    From what you pasted it looks like you have used http://www.fastservermanagement.com
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  10. #10
    Join Date
    Jan 2002
    Location
    Scotland
    Posts
    918
    Your server is now a liability to every other server in the world - get it sorted by a re-install

    Secondly :
    usually I saw permision of malicious files are 'nobody'
    What did you do with these files just remove them? did you do any tracing of how they got there? did you advise you management company about them?
    Nil illegitimi carborundum
    I'm getting old and don't do drugs. I get the same effect just standing up fast.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •