Results 1 to 13 of 13
  1. #1

    I have a txt in my server with million of passwords

    I'm very frustated 'cause i found a "****.txt" into my root directoriy of my server with a lot of usernames and passwords (24Mb)

    Example:
    <<removed, as they might be active accounts>>

    I just put here the first lines but I have yahoo, hotmail, facebook passwords etc ...

    HELP ME PLS !! It's that obiously somebody hack my server and some way is getting or generated this .txt
    What can I do ?

    thks cheers !
    Last edited by bear; 07-20-2009 at 07:40 AM.

  2. #2
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Looks like the output of some keylogger, hire an administrator to find the source of the compromise and address it.

  3. #3
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    I don't think that would be a keylogger, unless OP is typing all those user / passes.
    There is some sort of compromise, probably someone using the system as a bruteforce source...either directly compromised or as a proxy / bounce.

    You do need to get an admin in so you can stop what it's doing, or complaints are going to come your way very soon, if they haven't already. This would almost certainly be a service suspending offense.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  4. #4
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by mugo View Post
    I don't think that would be a keylogger, unless OP is typing all those user / passes.
    There is some sort of compromise, probably someone using the system as a bruteforce source...either directly compromised or as a proxy / bounce.

    You do need to get an admin in so you can stop what it's doing, or complaints are going to come your way very soon, if they haven't already. This would almost certainly be a service suspending offense.
    I was saying it looks like the output of some keyloggers (IE the output of the keyloggers are being logged to his system). The reason for that assumption is just based on the the fact the youtube links record from the signup, to the email conformation, to the login, which is unlikely to be a bruteforce. They also record residential IP's.

  5. #5
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Quote Originally Posted by Scott.Mc View Post
    I was saying it looks like the output of some keyloggers (IE the output of the keyloggers are being logged to his system). The reason for that assumption is just based on the the fact the youtube links record from the signup, to the email conformation, to the login, which is unlikely to be a bruteforce. They also record residential IP's.
    Oh, Ok, I C.

    I did not know that.

    He sure needs someone to look at that box, sooner rather than later.

    Maybe someone can suggest a good admin so he won't have to toss a dart and hope for the best.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  6. #6
    Join Date
    May 2008
    Location
    Cedar Knolls, NJ
    Posts
    72
    Change your password.

  7. #7
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,568
    Does look like a keylogger output or something. Sounds like your box has been rooted/hacked.

    First things first:

    Run a good virus scanner and a good online one (Kaspersky online scan, for example) and a good anti-spyware program (SpyBot search and destroy?) on *your* computer. Maybe you have a keylogger and they got your server's root password

    Then, once you are clean, change the server's password.

    If you don't have much experience of server management, go with someone like PSM. Also note the security steps they take:

    CHKRootKit - a simple program that detects hacker software and notifies you if any has been detected via email
    RootKit Hunter - scanning tool to ensure your system does not have any backdoors or exploits
    Securing and Upgrading of SSH Server - increases security during ssh connections
    APF or CSF Firewall - most commonly used policy based iptables firewall (APF will be installed by default unless CSF is requested)
    Anti-DoS configuration for APF Firewall - helps mitigate denial of service type attacks
    Brute Force Detection - notifies you of numerous login authentication failures and automatically blocks the attackers ip in the firewall
    Log Analysis Software Installation - Emails are dispatched daily, the amount of detail in the emails can be changed on request
    System Integrity Monitor - 24x7 Internal Monitor that checks all services and restarts them if they are down
    SPRI - changes the priority of different processes in accordance to level of importance, hence increasing server performance
    Secure and Optimize Apache (HTTP) - tweaks apache to perform better, and prevent unnecessary information from being easily seen
    MySQL optimization - increases performance of MySQL
    host.conf hardenening - prevent dns lookup poisoning & spoofing protection
    nsswitch.conf modification - secure and optimize DNS lookups
    sysctl.conf hardening - helps prevent TCP/IP stack from syn-flood attacks and other network abuses
    FTP Hardening - upgrade and secure your ftp software
    Removal of unused software - prevents exploits and wasted resources
    Removal of old logs - regain wasted space by deleting old archived logs
    Shell Fork Bomb/Memory Hog Protection - prevents a user logged into a shell from consuming all the resources on the server
    Root Logger - logs and emails you everytime someone accesses root with the timestamp and their ip address
    MyTOP - tool for monitoring MySQL threads and processes
    MultiTail - view multiple log files simultaneously
    TMP Directory hardening ( /tmp, /var/tmp, /dev/shm) - helps prevents execution of malicious scripts
    Password Scanner - scans for easy to guess and common passwords
    Filemanager - allows you to edit system files through WHM in case SSH is inaccessible
    Firewall Admin - allows you to edit firewall allow & deny list and config through WHM
    Also read around the VPS and dedicated server tutorials (the 'secure your server') one to ensure you are as secure as possible.
    Plagiarism Guard - Protect Against Content Theft
    Tristan Perry - Personal blog

  8. #8
    Join Date
    Feb 2009
    Location
    United States
    Posts
    378
    You must determine who or what is writing to that file (assuming it is being updated as we speak) and what protocols are being used to do so.
    If you require assistance <<ask here>>. As long as you don't modify and/or remove the file, you shouldn't be in any immediate danger.
    Last edited by bear; 07-20-2009 at 07:45 AM.
    Victor Lugo
    Systems Administrator

  9. #9
    Anything in logs?

  10. #10
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    If it's in your /root folder you've certainly been rooted. Time for a reload and have a professional lock it down next time to help prevent this from occurring again.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  11. #11

    log with Rkhunter

    Hi guys ... if it's necessary I will hire a professional but before may be with ur experience and enthusiasm we can do something to fix this

    any ways ..

    Here is the log for the sacan with Rkhunter

    My OS is Fedora
    Attached Files Attached Files

  12. #12
    Join Date
    Feb 2007
    Location
    Tampa, FL
    Posts
    803
    have you seen any phishing sites or any odd mail?
    Dave Parish
    (727)755-4033

  13. #13
    Join Date
    Feb 2007
    Location
    Tampa, FL
    Posts
    803
    I would take the list and see wha tyou can do about contacting some of those people, otherwise, reload, harden, strong passwords my friend...
    Dave Parish
    (727)755-4033

Similar Threads

  1. Possible to have multiple passwords for game server
    By Clamps722 in forum Game Servers
    Replies: 7
    Last Post: 12-04-2008, 02:42 AM
  2. How to manage server passwords?
    By ScottJ in forum Running a Web Hosting Business
    Replies: 10
    Last Post: 02-18-2006, 05:56 AM
  3. Dedicated server and root passwords
    By r5x in forum Marketing, Promotion, and Customer Service
    Replies: 13
    Last Post: 05-07-2005, 05:17 PM
  4. web design/development & server passwords
    By Criqetz in forum Hosting Security and Technology
    Replies: 1
    Last Post: 11-17-2003, 08:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •