DOS attack and IRC Server install

[wmguk]

Hi,

I have a server with 1and1 - I've had notifications from them that my server has been attacked and is currently infected:

These are the details:

Email regarding hacking attack on other servers:

| 82.XXX.XXX.59 | 2011-01-04 07:13:26 | ovation| 13550998 | e107 BBCode Arbitrary PHP Code Execution Vulnerability |

Then a Denial of Service email:

Due to an incoming UDP flood
Denial of Service attack, the following IP addresses have been temporarily black-holed:

82.XXX.XXX.59

This is a brief snip from the DOS log:

07:48:06.236426 IP XXX.XXX.XXX.XXX.45241 > 82.XXX.XXX.59.53:

Then the notification of IRC chanel:

we found that IP 82.XXX.XXX.59 is an IRC Server. We found that this server has been involved for mass scanning other network with provide IRC to illegal bot.

I installed chrootkit, and this is the answer:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... Unknown HZ value! (194) Assume 100.
not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... INFECTED
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... Unknown HZ value! (194) Assume 100.
not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... Unknown HZ value! (194) Assume 100.
not infected
Checking `tcpdump'... not infected
Checking `top'... INFECTED
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... /etc/ld.so.hash
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/mailman/.qmail /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.0.9.8e.hmac

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... Unknown HZ value! (194) Assume 100.
You have 33 process hidden for readdir command
You have 36 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
eth0:1: PF_PACKET(/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Sun Jan 23 14:41:42 2011 and Mon Jan 24 09:54:54 2011
1 deletion(s) between Mon Jan 24 19:03:48 2011 and Tue Jan 25 07:28:22 2011
1 deletion(s) between Wed Jan 26 14:34:49 2011 and Wed Jan 26 23:53:31 2011
1 deletion(s) between Fri Jan 28 01:30:11 2011 and Fri Jan 28 02:50:17 2011
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... Unknown HZ value! (194) Assume 100.
=> possibly 3 deletion(s) detected in /var/run/utmp !
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3443 pts/1 -mail
! root 3444 pts/1 /bin/sh
! root 3633 pts/1 su
! root 3634 pts/1 bash
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected

What the heck do I do now???

Thanks Guys

[Lazydog]

ERASE and REBUILD. Before you go back on-line I would attempt to figure out how they got in.

Do you use strong passwords or something that can be broken with a dictionary attack?

Do you update your system often?

Do you check your logs on a daily basis?

Do you run some sort of system program that check for files that have been changed like AIDE?

I would also look at locking down the system so that they cannot get in. Maybe running the server in a chroot environment so the whole system isn't compromised.