Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
Can somebody please tell me what to do if you have been hacked by this Opyum Team? Now they have full root privileges They have a cron job called f ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2012
    Posts
    54

    hacked by Opyum Team


    Can somebody please tell me what to do if you have been hacked by this Opyum Team?
    Now they have full root privileges
    They have a cron job called f Opyum Team
    They have created thousands of jpg images in various folders all over my server.
    They have done that months ago
    They dont do anything weird now as far as i know. Maybe they use my resource a lot which i suspect they do also.

    I am afraid if i re-install the OS and webmin again, then put the latest backup, they will still be there.

    Please suggest what can i do?

    also my hosting company suggest that i switch to cpanel instead of webmin. but i dont really want that.
    I feel like if i can kill the cron job, and the Opyum Team root user, i can clean and take care of the rest of leftovers and for me to kill the cron job and the remove the opyum team root user, i should just re-install the os and the webmin.

    PS: i am not good with linux commands nor the webmin. I used shared hosting with cpanel for 7 years and just starting on the vps hosting since a month.
    Last edited by Website; 08-05-2012 at 02:32 PM. Reason: additional info

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,386
    imho there is no alternative to a complete reinstall.
    Save your data, db dumps, config and logs.
    Of course, you need to find out, how the hack happened and also verify all data.
    Then start from scratch.

    If you are not familiar with Linux, maybe find help to complete those tasks.
    You must always face the curtain with a bow.

  3. #3
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630
    First thing to do is unplug your Internet! After this, open a terminal and as su:
    Code:
     cd /bin
    Then:
    Code:
    rm f
    If permissions are somehow set where you cannot remove it, rename it:
    Code:
    mv f _f_
    You can rename it whatever you want. You have to do the same with "i" if it has been installed. Still inside /bin, do:
    Code:
    rm i
    Or rename it. At this point, you can open "top" or "htop," find those processes and kill them. No point in killing them first as they will just get reactivated almost as quick as you kill them. That's what happened to me. If you don't know how to kill these processes, reboot, still without cable plugged in. Once machine is full up. you need to clean up a little with your favourite editor, (mine's "joe")...
    Code:
    joe /etc/crontab
    Look for the line that activates "f" and "i" and either delete them from the configuration or comment them out with a "#" before them.

    Lastly and importantly: Change your ssh password to something really complicated! Port 22 is where it got in. You could change the default ssh port from 22 to something else as well. If you don't use ssh that much, consider closing the port altogether. You can now plug in your Internet connection and restart the machine or re-activate the connection. Hope this helps.

    Edit: I agree completely with Irithori, a new install will insure you are clean but both my machines have been working without problems since I took these steps. I do however re-install fairly regularly so that is something I will do to both machines in time.
    Linux Mint + IceWM Registered: #371367 New Members: click here

  4. #4
    Just Joined!
    Join Date
    Aug 2012
    Posts
    54
    Quote Originally Posted by Dapper Dan View Post
    First thing to do is unplug your Internet! After this, open a terminal and as su:
    Code:
     cd /bin
    Then:
    Code:
    rm f
    If permissions are somehow set where you cannot remove it, rename it:
    Code:
    mv f _f_
    You can rename it whatever you want. You have to do the same with "i" if it has been installed. Still inside /bin, do:
    Code:
    rm i
    Or rename it. At this point, you can open "top" or "htop," find those processes and kill them. No point in killing them first as they will just get reactivated almost as quick as you kill them. That's what happened to me. If you don't know how to kill these processes, reboot, still without cable plugged in. Once machine is full up. you need to clean up a little with your favourite editor, (mine's "joe")...
    Code:
    joe /etc/crontab
    Look for the line that activates "f" and "i" and either delete them from the configuration or comment them out with a "#" before them. Lastly, (and importantly: Change your ssh password to something really complicated! Port 22 is where it got in. You could change the default ssh port from 22 to something else as well. If you don't use ssh that much, consider closing the port altogether.
    You can now plug in your Internet connection and restart the machine or re-activate the connection. Hope this helps.

    Edit: I agree completely with Irithori, a new install will insure you are clean but both my machines have been working without problems since I took these steps. I do however re-install fairly regularly so that is something I will do to both machines in time.
    First of all i dont host the site myself. I use a VPS through a company. So i dont think disconnecting myself from int will help me here.

    I used the FTP to do these commands you wrote... but

    Cant rename the f because of permission problem.

    I dont have i in /bin

    Didnt continue the other commands because i couldnt do the previous ones. My passwords are always super strong. Im talking about like ss_!LL-242__DSDefse___-svse#@D
    So its long and has each type of character to make it strong.

    Also do you think is there anyway to have all malicious files and folders cleaned from my directories? How can i do that after killing the processes.

  5. #5
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630
    Then contact your host and have them do what is necessary. Sorry to hear you are having this trouble. In my opinion, Opyum Team sets itself up as a porn server. It didn't do any deleting or rewriting of critical files on mine, just very annoying processes going on that grind your server's resources down to where it's difficult to do anything else. I watched as it downloaded files and put them in directories in /sbin and deleting others but checked /sbin thoroughly and didn't find anything left. Your hosting company should be knowledgeable enough to address this.


    Edit: With super strong pass, not sure how it got in or crossed over. ftp pass also strong?
    Linux Mint + IceWM Registered: #371367 New Members: click here

  6. #6
    Just Joined!
    Join Date
    Aug 2012
    Posts
    54
    Quote Originally Posted by Dapper Dan View Post
    Then contact your host and have them do what is necessary. Sorry to hear you are having this trouble. In my opinion, Opyum Team sets itself up as a porn server. It didn't do any deleting or rewriting of files on mine, just very annoying processes going on that grind your server's resources down to where it's difficult to do anything else. Your hosting company should be knowledgeable enough to address this.


    Edit: With super strong pass, not sure how it got in or crossed over. ftp pass also strong?
    All passes are either same or very similar to each other.

    So if i dont have the permission through FTP, is there any other method to put those commands and remove/kill the files and processes?
    Would it make any difference if i put the commands from console?
    Should i use another user?
    Can my hosting company have more permissions than i have in my VPS so they can put in those commands to clear the problem?

    I am talking to my hosting company right now and they say they will try. But i dont have much hope.

  7. #7
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630
    Can you get in through ssh? Do you have root permissions on this server? If not, perhaps send this thread to your host and ask them to do it.
    Linux Mint + IceWM Registered: #371367 New Members: click here

  8. #8
    Just Joined!
    Join Date
    Aug 2012
    Posts
    54

    Exclamation

    Quote Originally Posted by Dapper Dan View Post
    Can you get in through ssh? Do you have root permissions on this server? If not, perhaps send this thread to your host and ask them to do it.
    Thank you Dan. I reappy appreciate your quick help.

    After sending the thread to my hosting company. They took care of the issue perfectly. They have also changed my passes and SSH port.

    I think i have full root permissions right now. There is no Opyum Team cron job. Nor f or i in /bin

    There was f.save and f.save.1 in /bin and i just deleted them also.

    Is there anything else i should check for?
    If not then what is the next step?
    How can i remove, delete the files which was affected/created/editted by them?

    I know the hack has created bunch of jpgs etc. in many folders. But i dont know the locations.
    Last edited by Website; 08-05-2012 at 04:21 PM. Reason: Forgot to say thank you

  9. #9
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630
    Since it is a server (not cluttered with personal pictures) update the database and search for them:
    Code:
    updatedb
    When it finishes:
    Code:
    cd /
    locate *.jpg
    Might also want to search *.jpeg *.JPG *.JPEG. Pay particular attention to /sbin and /usr/sbin. I remember seeing one or both of those directories while watching it do its thing with htop. Warn your Host that it replicates itself to other machines on the network so they might have to check all of them. Glad you are getting it under control.

    EDIT: Perhaps your host would be kind enough to share what they did to address this. That might help someone else later on who finds this thread.
    Linux Mint + IceWM Registered: #371367 New Members: click here

  10. #10
    Just Joined!
    Join Date
    Aug 2012
    Posts
    54
    Quote Originally Posted by Dapper Dan View Post
    Since it is a server (not cluttered with personal pictures) update the database and search for them:
    Code:
    updatedb
    When it finishes:
    Code:
    cd /
    locate *.jpg
    Might also want to search *.jpeg *.JPG *.JPEG. Pay particular attention to /sbin and /usr/sbin. I remember seeing one or both of those directories while watching it do its thing with htop. Warn your Host that it replicates itself to other machines on the network so they might have to check all of them. Glad you are getting it under control.

    EDIT: Perhaps your host would be kind enough to share what they did to address this. That might help someone else later on who finds this thread.
    I think they did what you told them to do above with the codes.
    writings updatedb in console doesnt do anything. Can you give me the full command please?

    Also putting this command in console,
    cd /
    locate *.jpg
    will bring every jpg (including regular ones) to me right? How would i know which images to delete?
    Should i search for png, gif etc. also?

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •