Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I have a server with 1and1 - I've had notifications from them that my server has been attacked and is currently infected: These are the details: Email regarding hacking ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2011
    Posts
    3

    DOS attack and IRC Server install


    Hi,

    I have a server with 1and1 - I've had notifications from them that my server has been attacked and is currently infected:

    These are the details:

    Email regarding hacking attack on other servers:
    | 82.XXX.XXX.59 | 2011-01-04 07:13:26 | ovation| 13550998 | e107 BBCode Arbitrary PHP Code Execution Vulnerability |
    Then a Denial of Service email:
    Due to an incoming UDP flood
    Denial of Service attack, the following IP addresses have been temporarily black-holed:

    82.XXX.XXX.59

    This is a brief snip from the DOS log:

    07:48:06.236426 IP XXX.XXX.XXX.XXX.45241 > 82.XXX.XXX.59.53:
    Then the notification of IRC chanel:

    we found that IP 82.XXX.XXX.59 is an IRC Server. We found that this server has been involved for mass scanning other network with provide IRC to illegal bot.

    I installed chrootkit, and this is the answer:

    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not found
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `crontab'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not found
    Checking `gpm'... not found
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... INFECTED
    Checking `inetd'... Unknown HZ value! (194) Assume 100.
    not tested
    Checking `inetdconf'... not found
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... not infected
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not infected
    Checking `mingetty'... not infected
    Checking `netstat'... INFECTED
    Checking `named'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... INFECTED
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not found
    Checking `rshd'... not found
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... Unknown HZ value! (194) Assume 100.
    not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... Unknown HZ value! (194) Assume 100.
    not infected
    Checking `tcpdump'... not infected
    Checking `top'... INFECTED
    Checking `telnetd'... not found
    Checking `timed'... not found
    Checking `traceroute'... not found
    Checking `vdir'... not infected
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'... /etc/ld.so.hash
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/mailman/.qmail /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.0.9.8e.hmac

    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... Warning: Possible Showtee Rootkit installed
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for LOC rootkit... nothing found
    Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
    Searching for HKRK rootkit... nothing found
    Searching for Suckit rootkit... nothing found
    Searching for Volc rootkit... nothing found
    Searching for Gold2 rootkit... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found
    Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
    Searching for AjaKit rootkit default files and dirs... nothing found
    Searching for zaRwT rootkit default files and dirs... nothing found
    Searching for Madalin rootkit default files... nothing found
    Searching for Fu rootkit default files... nothing found
    Searching for ESRK rootkit default files... nothing found
    Searching for rootedoor... nothing found
    Searching for ENYELKM rootkit default files... nothing found
    Searching for common ssh-scanners default files... nothing found
    Searching for suspect PHP files... nothing found
    Searching for anomalies in shell history files... nothing found
    Checking `asp'... not infected
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... Unknown HZ value! (194) Assume 100.
    You have 33 process hidden for readdir command
    You have 36 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed
    chkdirs: nothing detected
    Checking `rexedcs'... not found
    Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
    eth0:1: PF_PACKET(/sbin/dhclient)
    Checking `w55808'... not infected
    Checking `wted'... 1 deletion(s) between Sun Jan 23 14:41:42 2011 and Mon Jan 24 09:54:54 2011
    1 deletion(s) between Mon Jan 24 19:03:48 2011 and Tue Jan 25 07:28:22 2011
    1 deletion(s) between Wed Jan 26 14:34:49 2011 and Wed Jan 26 23:53:31 2011
    1 deletion(s) between Fri Jan 28 01:30:11 2011 and Fri Jan 28 02:50:17 2011
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... chklastlog: nothing deleted
    Checking `chkutmp'... Unknown HZ value! (194) Assume 100.
    => possibly 3 deletion(s) detected in /var/run/utmp !
    The tty of the following user process(es) were not found
    in /var/run/utmp !
    ! RUID PID TTY CMD
    ! root 3443 pts/1 -mail
    ! root 3444 pts/1 /bin/sh
    ! root 3633 pts/1 su
    ! root 3634 pts/1 bash
    chkutmp: nothing deleted
    Checking `OSX_RSPLUG'... not infected
    What the heck do I do now???

    Thanks Guys

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    ERASE and REBUILD. Before you go back on-line I would attempt to figure out how they got in.

    Do you use strong passwords or something that can be broken with a dictionary attack?

    Do you update your system often?

    Do you check your logs on a daily basis?

    Do you run some sort of system program that check for files that have been changed like AIDE?

    I would also look at locking down the system so that they cannot get in. Maybe running the server in a chroot environment so the whole system isn't compromised.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •