Results 1 to 8 of 8
  1. #1
    Join Date
    Dec 2007
    Posts
    48

    Somebody hacked my server ?

    Hi, I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?


    send(4, "@\206\1\0\0\1\0\0\0\0\0\0\3irc\10quakenet\3org\0\0\1"..., 34, MSG_NOSIGNAL) = 34
    poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
    ioctl(4, FIONREAD, [162]) = 0
    recvfrom(4, "@\206\201\200\0\1\0\10\0\0\0\0\3irc\10quakenet\3org\0\0\1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
    close(4) = 0
    socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
    ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
    _llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
    ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
    _llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
    fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
    connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
    close(4) = 0
    open("/etc/protocols", O_RDONLY) = 4
    fcntl64(4, F_GETFD) = 0
    fcntl64(4, F_SETFD, FD_CLOEXEC) = 0

  2. #2
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Think you need to hire and admin to check our your system. Also you can use Nobody Check to automatically scan and kill fake nobody HTTP processes.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  3. #3
    Greetings:

    If you are running cpanel, check out http://www.webhostgear.com/353.html

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  4. #4
    Looks like your server is part of a botnet!

  5. #5
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Most likely that's a perl script designed to look like /usr/sbin/httpd. These happen.

    Is the server hacked? That depends on what actually took place, and what kind of script it is. It's impossible to tell IF your server is hacked without knowing more details, and having an admin go through it fully.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by linux-tech View Post
    Most likely that's a perl script designed to look like /usr/sbin/httpd. These happen.

    Is the server hacked? That depends on what actually took place, and what kind of script it is. It's impossible to tell IF your server is hacked without knowing more details, and having an admin go through it fully.
    I agree. CPanel runs apache under /usr/local/apache/bin/httpd. So its likely a perl script.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    recvfrom(4, "@\206\201\200\0\1\0\10\0\0\0\0\3irc\10quakenet\3org\0\0\1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
    Thats typical of an irc bot!

  8. #8
    Join Date
    Jul 2004
    Location
    Athens, Greece
    Posts
    203
    Agreed with previous posters. According to the log, it resolved irc.quakenet.org (a known IRC network) and then it tried to connect to 83.140.172.210:6665 (port80a.se.quakenet.org). Since the process was running from nobody, it's very possible that some web software allowed injection.

    Further than the previous suggestions, I would suggest to update any web software (forums, portals etc) to latest versions and/or install/configure mod_security to avoid similar incidents.

    PS: QuakeNet obviously has no relation with the intrusion, it's just an IRC network that someone decided to load his drones.
    SharkTECH Internet Services
    http://www.sharktech.net
    DDOS Firewalled Dedicated Servers
    Managed Services / IRC Allowed

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •