[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: hacked




You should try rpm -Vf /some/commands just to make sure they haven't changed.

John

On Thu, 12 Oct 2006, Manuel Arostegui Ramirez wrote:

El Jueves, 12 de Octubre de 2006 07:21, Steve Buehler escribió:
Ok.  It looks like I have been hacked and they have put in a
directory in my webspace that is just a space.  In there, is 2
directories and 1 file:
-rwxr-xr-x  1 root root    0 Oct 12 00:01 php.php
drwxr-xr-x  2   48   48 4096 Oct 11 23:54 signin.ebay.com
drwxrwxrwx  2 root root 4096 Oct 11 23:54 www.paypal.com

I can delete everything in the 2 directories, and edit/change the
php.php file to empty it out because it was a php script that allowed
someone to do anything on the server they wanted, but I can not for
the life of me delete them.  I thought maybe they replaced the
/bin/rm file, but it does not appear to be a hacked "rm".

Also, every minute the following cron job runs and I am not sure how
or where it is being run from.
chown root:root /tmp/local/local5 && chmod 4755 /tmp/local/local5 &&
rm -rf /etc/cron.d/core && kill -USR1 30447

There is no /tmp/local directory and in my /etc/cron.d directory,
there are 2 files:
-rw-------  1 root httpd 696320 Oct  6 09:45 core.30448
-rw-------  1 root httpd 909312 Oct 11 14:14 core.8811

I do not see anything like that on my other servers.

My firewalls don't allow ssh access from other than my address and
only with a public/private key pair.

Are you sure they didn't get shell access? Seem to be that if the changed your
cron file, you're in troubles :-)

What about logs? Have you found out how they breake into your server?
Do you have any kind of anti-rootkit on your system? If so, you ought to use
it, in order to search for rootkit and try to locate those commands (as ls or
rm) which maybe have been trojanized.

Cheers!
--
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]