hacked

[Manuel Arostegui Ramirez]

El Jueves, 12 de Octubre de 2006 07:21, Steve Buehler escribió:
> Ok.  It looks like I have been hacked and they have put in a
> directory in my webspace that is just a space.  In there, is 2
> directories and 1 file:
> -rwxr-xr-x  1 root root    0 Oct 12 00:01 php.php
> drwxr-xr-x  2   48   48 4096 Oct 11 23:54 signin.ebay.com
> drwxrwxrwx  2 root root 4096 Oct 11 23:54 www.paypal.com
>
> I can delete everything in the 2 directories, and edit/change the
> php.php file to empty it out because it was a php script that allowed
> someone to do anything on the server they wanted, but I can not for
> the life of me delete them.  I thought maybe they replaced the
> /bin/rm file, but it does not appear to be a hacked "rm".
>
> Also, every minute the following cron job runs and I am not sure how
> or where it is being run from.
> chown root:root /tmp/local/local5 && chmod 4755 /tmp/local/local5 &&
> rm -rf /etc/cron.d/core && kill -USR1 30447
>
> There is no /tmp/local directory and in my /etc/cron.d directory,
> there are 2 files:
> -rw-------  1 root httpd 696320 Oct  6 09:45 core.30448
> -rw-------  1 root httpd 909312 Oct 11 14:14 core.8811
>
> I do not see anything like that on my other servers.
>
> My firewalls don't allow ssh access from other than my address and
> only with a public/private key pair.

Are you sure they didn't get shell access? Seem to be that if the changed your 
cron file, you're in troubles :-)

What about logs? Have you found out how they breake into your server?
Do you have any kind of anti-rootkit on your system? If so, you ought to use 
it, in order to search for rootkit and try to locate those commands (as ls or 
rm) which maybe have been trojanized.

Cheers!
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.