server hacked....

[mitul]

Hello All,

From last few days the server load is continuously running between 25% - 75%. Someone has hacked into the server sending mail. Is there some way we can tract this and shut them out.

6166 root 0 3.2 0.5 sendmail
6173 root 0 3.2 0.5 sendmail
6175 root 0 3.0 0.5 sendmail
6180 root 0 3.0 0.5 sendmail
6187 root 0 3.0 0.5 sendmail
6163 root 0 2.9 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55Q-0003AL-00
6182 root 0 2.9 0.5 sendmail
6190 root 0 2.9 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55R-0003AU-00
6194 root 0 2.7 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55P-0003AE-00
5595 nobody 0 2.5 3.8 httpd
6155 root 0 2.5 0.5 sendmail
6186 root 0 2.5 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55T-0003Al-00
6158 root 0 2.3 1.0 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55S-0003AZ-00
6160 root 0 2.3 0.5 sendmail
6165 root 0 2.3 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx1.mail.yahoo.com219R55V-0003At-00


Thank you,

cPanel.net Support Ticket Number:

[tekdns]

Did you upgrade your kernel to latest version?

cPanel.net Support Ticket Number:

[mitul]

I am using 2.4.18-27.7.x version of kernel.

cPanel.net Support Ticket Number:

[mitul]

This was upgraded long time back...

cPanel.net Support Ticket Number:

[tekdns]

You have lost your root pass posible.

You must upgrade to latest kenel, becouse you have not latest kernel version.Your kernel version has a vulnerable.

cPanel.net Support Ticket Number:

[tekdns]

Yýu can use this comand;
up2date --nox -f kernel

cPanel.net Support Ticket Number:

[tekdns]

http://www.admin0.net/security/introduction.htm

cPanel.net Support Ticket Number:

[mitul]

Does this mean my server is been hacked.

Is there any way to track who is sending mails from my server?

Thank you,

cPanel.net Support Ticket Number:

[NightHawk]

Originally posted by tekdns
http://www.admin0.net/security/introduction.htm

cPanel.net Support Ticket Number:

nice link...I will put this in my list of links to give to new admins....

cPanel.net Support Ticket Number:

[NightHawk]

Originally posted by mitul
Does this mean my server is been hacked.

Is there any way to track who is sending mails from my server?

Thank you,

cPanel.net Support Ticket Number:

the information you have provided is not enough to show for certain that your server has been hacked, certainly if your server was hacked...they could then send that email...but, there are other options:
1) insecure formmail.pl (or clones)
2) compromised customer smtp password
3) compromised customer webmail account
4) open relay (I am guessing you have checked this already).
5) there are others...but those are the ones I would check first).

cPanel.net Support Ticket Number:

[mitul]

The server is been tested for open relay.

The formmail.cgi bug was fixed few days ago by cpanel.

If is about clients smtp or webmail password been compromised how do I trace that out.

Please help me fast....

Thank you,

cPanel.net Support Ticket Number:

[mitul]

I got my server tested from ORDB.org for open relay and got confirmation from ORDB.org that my server does not permit open relay.

How do I trace if its the local client on the server who is sending mails through script or using any other form?

Please help I am loosing my server....

Thank you,

cPanel.net Support Ticket Number:

[NNNils]

Originally posted by tekdns

You must upgrade to latest kenel, becouse you have not latest kernel version.Your kernel version has a vulnerable.

What vulnerabilities does 2.4.18-27.7.x have?

cPanel.net Support Ticket Number:

[gncuster]

IIRC anything <2.4.21 has a ptrace root whole open.

cPanel.net Support Ticket Number:

[sexy_guy]

2.4.18-27.7.x is not vuln at all. Show me where it says that this kernel is vuln? So many people have had problems with the next kernel release that many have chosen to stay at 2.4.18-27.7.x. If he was hacked he should be looking at his other security admin abilities.

cPanel.net Support Ticket Number: