The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Being attacked

Discussion in 'General Discussion' started by cretu, Jan 12, 2004.

  1. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi there,

    Lately, 2 weeks ago I have noticed Slapper worm being running on one of the box (reported by chrootkit). I found out that worm files were dropped to /tmp directory so I have secured it as non-executable, tweaked security not to allowed opening files outside user;s folder, tweaked my existing APF firewall, set every user to Jail Shell...
    However, when running "netstat" I am continusly getting connections like this:
    xx.xx.xxx.xx:ircd
    I even serach every user;s folder for psynb and even found out the whole psy binary files within one users folder and ternimated him.

    However, this still continues, so I have shut down SSH for every user. Did not help.

    The connections still are there. Moreover, which is very strange, I am founding psy's binay in folders "ska", "aka" , etc, created within "/var/spool/mail" folder!!! How did they managed to install it there???? Chrootkit does not report any infections anymore, previously it did reported "slapper".

    How, can I stop this?

    Please help

    Cretu

    cPanel.net Support Ticket Number: By IRC guys
     
  2. admin0

    admin0 Active Member

    Joined:
    Aug 11, 2002
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Looks like someone was able to install the binaries /var/spool/mail/ .. perhaps the date/time in the files might give you an idea when..

    Also, try using the lsof lsof command as root and get the exact location where ircd running from


    Hope this gets you started..


    :)
     
  3. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi there,

    Yes, I tried losf already and it does return whole bunch of folders including non-infected (I think) folders anywhere in the system, like /var/logs/ and mentioned previously /var/spool/aka (folder that contained psy). Is there anything particular I should look for.

    Any help will be appritiated.

    Cretu
     
  4. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Addition:

    I am running the Chkrootkit on box that was attacked and it returns with following:

    Checking `bindshell'... INFECTED (PORTS: 465 3049)

    I know that port 465 will always return as infected according to chkrootkit, but how about 3049.
    I am running APF firewall and do not have this port anabled.

    Please help!

    Cretu
     
  5. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    hi

    did you ever find out out if `bindshell'... INFECTED (PORTS: 465 3049) was a problem?

    thanks
    Ivasrver
     
  6. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    i also get the same result but in different port:

    Checking `bindshell'... INFECTED (PORTS: 465 31337)

    how to clean it?
     
  7. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    i know now, it's a false positive, here is from http://www.webhostgear.com/25.html

     
  8. DHL

    DHL Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    If you do a 'ls /var/spool/mail' and there are directories in there other than 'mail' then they need to be removed ;-)
    Look out for any files that aren't users on your machine.

    Look out for directories like '...' or '/\\' etc too, they like to create those too.

    Another new favourite place for them to be dropped in is /dev/shm.

    Other directories include /var/spool/vbox /usr/local/apache/proxy - You can remove these directories. :)

    Usually a 'ps auxf' will show the processes running as nobody, you would see ./ircd or similar, just look at all of the 'nobody' processes and then then 'ls -l /proc/PID' (PID= process id number)

    That will tell you where the location of the problem is.
    Hope this helps :)
     
Loading...

Share This Page