jiltin

Experts,

I am hosting a server at my home network (site:j i l t i n d o t c o m ) I am hosting only web server with php,mysql.

However, monitoring the router and switches, I am seeing some people are using this as a proxy server and/or proxy email server.

1) email: I used to get the following to my admin email
Undeliverable mail: Потеря документов по недобросовестным поставщикам
I see them 20 - 40 messages daily. It i still coming after doing this

service sendmail stop
chkconfig sendmail off
chkconfig sendmail --list
sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off

2) Some people are also using this as proxy server, mainly from russia.
whenever I go rapidshare or megaupload, it says your ip is already downloading.
It is always saying this without any gap for the past 24 hours.


Please help me fix this

Thanks in advance
Jiltin

Note: This forum does not allow me to post ps -ef output.
But you can see this output here (remove spaces, convert dot=".", slash="/")

j i l t i n d o t c o m s l a s h p s e f d o t t x t

Rubberman

It sounds like your system has been hacked. You should shut it down, reboot without internet access. Clean the infected components of the system, install SELinux, and/or implement a firewall. Your web server configuration also needs to be locked down, otherwise you are susceptible to reinfection.

One last point is that your web server pages have likely been subverted and are infecting your clients when they access your web pages. You need to clean them by reinstalling all of your web pages and scripts.

__________________
Sometimes, real fast is almost as good as real time.

jiltin

This is very likely issue. How can I find out whether the server is hacked?

I have Cent OS. "Clean the infected components"? How can I find out?

What should do? I do not know I shutdown email server. I see /var/log/secure no login attempts.

where to start?

jiltin

netstat -tap gives
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 master.jiltin.com:2208 *:* LISTEN 15743/hpiod
tcp 0 0 *:mdbs_daemon *:* LISTEN 15458/rpc.statd
tcp 0 0 *:mysql *:* LISTEN 15961/mysqld
tcp 0 0 *:sunrpc *:* LISTEN 15423/portmap
tcp 0 0 master.jiltin.com:ipp *:* LISTEN 15805/cupsd
tcp 0 0 master.jiltin.com:2207 *:* LISTEN 15779/python
tcp 0 0 *:http *:* LISTEN 16000/httpd
tcp 0 0 *:ssh *:* LISTEN 15794/sshd
tcp 0 0 *:https *:* LISTEN 16000/httpd
tcp 0 0 *csync-https *:* LISTEN 16000/httpd
tcp 0 444 ::ffff:192.168.0.100:ssh jiltin.com:tn-timing ESTABLISHED 17742/1
tcp 0 0 ::ffff:192.168.0.100:http 77-254-135-45.adsl.in:51625 TIME_WAIT -
tcp 0 128486 ::ffff:192.168.0.100:http c-98-215-155-227.:gemini-lm FIN_WAIT1 -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:apollo-status TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http c-98-215-155-2ictrography FIN_WAIT2 -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:cnrp TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:apollo-cc TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:de-spot TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:uadtc TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:data-insurance TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:qip-audup TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:sabams TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:smpp TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:auris TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:rbakcup1 TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:veronica TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:uacs TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:ridgeway1 TIME_WAIT -
tcp 0 0 ::ffff:192.168.0.100:http 45.Red-83-60-149.:lnvstatus TIME_WAIT -

p_nyet

Trying to check log of httpd access and error, attacker maybe not hacked into your system, but hacking into some website in your server.

Regards,

jiltin

To some extend, I could control the issue. Changed all the password, removed a proxy folders from my site (this shows something had happened). There were three proxy folders (http proxys), rebooted the server.

Normally, I used to have 5 to 20 concurrent users at my web site.

As of this time, the activities reduced after removing the proxy and email server. Need to explore more.

Please let know where to start in such case.

meton_magis

honestly, unless you want to worry about this for the next several years, just wipe and reinstall CentOS, and enable SELinux next time.

__________________
New to the internet, technical forums, or the hacker / open source community??
Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

RHCT for RHEL version 4
echo "$whatever_youre_saying" > /dev/null

jiltin

I appreciate all the feedbacks.

Now the server looks fine. But, I would also follow the best practice suggested by meton_magis.

Thank you Rubberman, p_nyet and meton_magis