#1 (permalink)  
Old 06-21-2004, 07:11 AM
Registered User
 
Join Date: Mar 2004
Posts: 193
Tagor
Hacked - help please

Yesterday night I received a message that my server was down for about one hour. Because we have had several attacks before we have secured our server. However the security seems to be not 100% secure. We have installed a firewall (APF) that has ddos protection and filters some ip addresses using dshield. I also secured the /tmp folder using scripts/securetmp. However I found a file in the /tmp folder called KDE.

(1) is there a way to check if this script was runned in /tmp?
(2) is there a way to see what happened before the server went down?
(3) are there any logs about who gained access to /tmp?
(4) is there a way to find out who uploaded that file?
(5) is there a way to search in the .php files in /home/ for uploaders who may have uploaded the file?
(6) is there a way to check if someone can execute files as nobody in the /tmp folder? (does anyone have a simple program to check this?)

Below I will post the file that was uploaded and the traffic stats of my server.

Many thanks in advance for helping me!!
Attached Files
File Type: tar kde.tar (20.0 KB, 10 views)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 06-21-2004, 07:12 AM
Registered User
 
Join Date: Mar 2004
Posts: 193
Tagor
And here are the traffic stats.
Attached Images
File Type: png traffic.png (3.6 KB, 67 views)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 06-21-2004, 07:14 AM
Registered User
 
Join Date: Mar 2004
Posts: 193
Tagor
I just found this in WHM:

Quote:
nobody 0.03 0.08 0.0
Top Process %CPU 2.0 proftpd: connected: localhost (127.0.0.1:38243)
It doesn't say anything for me, but maybe someone know what this does?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 06-21-2004, 08:12 AM
Registered User
 
Join Date: Jul 2002
Location: Canada
Posts: 675
ramprage is on a distinguished road
The first thing you need to ensure is that you weren't compromised and that the hacker still doesn't have access.

Check all running processes, run chkrootkit and do a port scan on your server.

netstat -an
ps -aux


Then go through and start looking at your log files and find which user account the file came through from.
You might want to look for something such as wget or even the filename itself.

If you're not feeling good about this then hire someone else to take a look as well. A second opinion and eyes can never hurt.
__________________
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 06-21-2004, 08:32 AM
Registered User
 
Join Date: Mar 2004
Posts: 193
Tagor
First, thanks a lot, ramprage!

I already ran chkrootkit and it didn't find anything except bindshell (but that is normal if you have cPanel installed).

I removed the kde file from /tmp so the person cannot start it again.

Would you mind answering the 6 questions above so I can find out some more information?

Here are some thinks I have some doubt about:

Quote:
tcp 0 0 0.0.0.0:2084 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN

There are several connections from the IP 0.0.0.0 on several ports, what do they mean?

The other messages seem to be ok, since they are all TCP on port 80.

Also there is some strange traffic on UDP on port 53. 0.0.0.0 is connected to several ip addresses of the server which we actually don't use. Could you tell me who the user 0.0.0.0 is?
Quote:
On that other command all looks also good. Except I am not sure if this is ok:

USERNAME-OF-A-CLIENT 1673 0.0 0.1 8528 752 ? S Jun20 0:00 cpaneld - serving 217.120.4
I really appreciate your help and I have also often used your great web site .
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 06-22-2004, 01:22 PM
Registered User
 
Join Date: Mar 2004
Posts: 193
Tagor
Kick
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 06-24-2004, 09:24 AM
netwrkr's Avatar
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: Apr 2003
Posts: 203
netwrkr is on a distinguished road
Quote:
Originally posted by Tagor
Kick
Any chance of you researching your questions rather than have someone spoon feed you the answers?


Give a man a fish and he will eat for a day; teach a man to fish and he will have food for life.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 04:35 AM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
© cPanel Inc