hacked
John O'Loughlin
j.oloughlin at qmul.ac.uk
Thu Oct 12 11:14:17 UTC 2006
You should try rpm -Vf /some/commands just to make sure they haven't
changed.
John
On Thu, 12 Oct 2006, Manuel Arostegui Ramirez wrote:
> El Jueves, 12 de Octubre de 2006 07:21, Steve Buehler escribió:
>> Ok. It looks like I have been hacked and they have put in a
>> directory in my webspace that is just a space. In there, is 2
>> directories and 1 file:
>> -rwxr-xr-x 1 root root 0 Oct 12 00:01 php.php
>> drwxr-xr-x 2 48 48 4096 Oct 11 23:54 signin.ebay.com
>> drwxrwxrwx 2 root root 4096 Oct 11 23:54 www.paypal.com
>>
>> I can delete everything in the 2 directories, and edit/change the
>> php.php file to empty it out because it was a php script that allowed
>> someone to do anything on the server they wanted, but I can not for
>> the life of me delete them. I thought maybe they replaced the
>> /bin/rm file, but it does not appear to be a hacked "rm".
>>
>> Also, every minute the following cron job runs and I am not sure how
>> or where it is being run from.
>> chown root:root /tmp/local/local5 && chmod 4755 /tmp/local/local5 &&
>> rm -rf /etc/cron.d/core && kill -USR1 30447
>>
>> There is no /tmp/local directory and in my /etc/cron.d directory,
>> there are 2 files:
>> -rw------- 1 root httpd 696320 Oct 6 09:45 core.30448
>> -rw------- 1 root httpd 909312 Oct 11 14:14 core.8811
>>
>> I do not see anything like that on my other servers.
>>
>> My firewalls don't allow ssh access from other than my address and
>> only with a public/private key pair.
>
> Are you sure they didn't get shell access? Seem to be that if the changed your
> cron file, you're in troubles :-)
>
> What about logs? Have you found out how they breake into your server?
> Do you have any kind of anti-rootkit on your system? If so, you ought to use
> it, in order to search for rootkit and try to locate those commands (as ls or
> rm) which maybe have been trojanized.
>
> Cheers!
> --
> Manuel Arostegui Ramirez.
>
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list