Find the answer to your Linux question:
Results 1 to 8 of 8
Experts, I am hosting a server at my home network (site:j i l t i n d o t c o m ) I am hosting only web server with ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2009
    Location
    San Jose, CA
    Posts
    9

    Need urgent help


    Experts,

    I am hosting a server at my home network (site:j i l t i n d o t c o m ) I am hosting only web server with php,mysql.

    However, monitoring the router and switches, I am seeing some people are using this as a proxy server and/or proxy email server.

    1) email: I used to get the following to my admin email
    Undeliverable mail: Потеря документов по недобросовестным поставщикам
    I see them 20 - 40 messages daily. It i still coming after doing this

    service sendmail stop
    chkconfig sendmail off
    chkconfig sendmail --list
    sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off

    2) Some people are also using this as proxy server, mainly from russia.
    whenever I go rapidshare or megaupload, it says your ip is already downloading.
    It is always saying this without any gap for the past 24 hours.


    Please help me fix this

    Thanks in advance
    Jiltin

    Note: This forum does not allow me to post ps -ef output.
    But you can see this output here (remove spaces, convert dot=".", slash="/")

    j i l t i n d o t c o m s l a s h p s e f d o t t x t

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,527
    It sounds like your system has been hacked. You should shut it down, reboot without internet access. Clean the infected components of the system, install SELinux, and/or implement a firewall. Your web server configuration also needs to be locked down, otherwise you are susceptible to reinfection.

    One last point is that your web server pages have likely been subverted and are infecting your clients when they access your web pages. You need to clean them by reinstalling all of your web pages and scripts.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Jun 2009
    Location
    San Jose, CA
    Posts
    9
    Quote Originally Posted by Rubberman View Post
    It sounds like your system has been hacked. You should shut it down, reboot without internet access. Clean the infected components of the system, install SELinux, and/or implement a firewall. Your web server configuration also needs to be locked down, otherwise you are susceptible to reinfection.

    One last point is that your web server pages have likely been subverted and are infecting your clients when they access your web pages. You need to clean them by reinstalling all of your web pages and scripts.
    This is very likely issue. How can I find out whether the server is hacked?

    I have Cent OS. "Clean the infected components"? How can I find out?

    What should do? I do not know I shutdown email server. I see /var/log/secure no login attempts.

    where to start?

  4. #4
    Just Joined!
    Join Date
    Jun 2009
    Location
    San Jose, CA
    Posts
    9
    netstat -tap gives
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 master.jiltin.com:2208 *:* LISTEN 15743/hpiod
    tcp 0 0 *:mdbs_daemon *:* LISTEN 15458/rpc.statd
    tcp 0 0 *:mysql *:* LISTEN 15961/mysqld
    tcp 0 0 *:sunrpc *:* LISTEN 15423/portmap
    tcp 0 0 master.jiltin.com:ipp *:* LISTEN 15805/cupsd
    tcp 0 0 master.jiltin.com:2207 *:* LISTEN 15779/python
    tcp 0 0 *:http *:* LISTEN 16000/httpd
    tcp 0 0 *:ssh *:* LISTEN 15794/sshd
    tcp 0 0 *:https *:* LISTEN 16000/httpd
    tcp 0 0 *csync-https *:* LISTEN 16000/httpd
    tcp 0 444 ::ffff:192.168.0.100:ssh jiltin.com:tn-timing ESTABLISHED 17742/1
    tcp 0 0 ::ffff:192.168.0.100:http 77-254-135-45.adsl.in:51625 TIME_WAIT -
    tcp 0 128486 ::ffff:192.168.0.100:http c-98-215-155-227.:gemini-lm FIN_WAIT1 -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:apollo-status TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http c-98-215-155-2ictrography FIN_WAIT2 -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:cnrp TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:apollo-cc TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:de-spot TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:uadtc TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:data-insurance TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:qip-audup TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:sabams TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:smpp TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:auris TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:rbakcup1 TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:veronica TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:uacs TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http jiltin.com:ridgeway1 TIME_WAIT -
    tcp 0 0 ::ffff:192.168.0.100:http 45.Red-83-60-149.:lnvstatus TIME_WAIT -

  5. #5
    Just Joined!
    Join Date
    Dec 2008
    Location
    Jakarta ID
    Posts
    3
    Trying to check log of httpd access and error, attacker maybe not hacked into your system, but hacking into some website in your server.

    Regards,

  6. #6
    Just Joined!
    Join Date
    Jun 2009
    Location
    San Jose, CA
    Posts
    9
    Quote Originally Posted by p_nyet View Post
    Trying to check log of httpd access and error, attacker maybe not hacked into your system, but hacking into some website in your server.

    Regards,
    To some extend, I could control the issue. Changed all the password, removed a proxy folders from my site (this shows something had happened). There were three proxy folders (http proxys), rebooted the server.

    Normally, I used to have 5 to 20 concurrent users at my web site.

    As of this time, the activities reduced after removing the proxy and email server. Need to explore more.

    Please let know where to start in such case.

  7. #7
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    honestly, unless you want to worry about this for the next several years, just wipe and reinstall CentOS, and enable SELinux next time.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

  8. #8
    Just Joined!
    Join Date
    Jun 2009
    Location
    San Jose, CA
    Posts
    9
    I appreciate all the feedbacks.

    Now the server looks fine. But, I would also follow the best practice suggested by meton_magis.

    Thank you Rubberman, p_nyet and meton_magis

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •