Have I been Hacked????

[connorlong]

1) I started getting an email every minute with the following details:
Subject: Cron <root@africa> chown root:root /tmp/l.txt && chmod 4755 /tmp/l.txt && rm -rf /etc/cron.d/core && kill -USR1 25640

Body Message: chown: cannot access `/tmp/l.txt': No such file or directory


I have found very little info on the web about this. Some posts say this is harmless an others say that I should do a full OS restore.

2) I then received one email with the following details:
Subject: [hackcheck] news has a uid 0 account

Body Message: IMPORTANT: Do not ignore this email.
This message is to inform you that the account news has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

There is a user in the Manage Wheel Group Users section but does NOT have root access.
Question 1) How do I sort out this problem?
Question 2) I backed up and deleted a file called core.25641 in the cron.d folder. It seems this cron file was creating the recuring first emails, they have now stopped. Are there any implications? The server seems to be running fine.
Question 3) If a user named NEWS with uid 0 exists. How do I find the user and delete them?

Last Thought (Server Details):
WHM 10.8.0 cPanel 10.9.0-S35
Fedora i686 - WHM X v3.1.0
I should have all latest updates

 

[BlueZebra]

You have to verify if the box is really compromised.

Check etc-passwd and verify the uid of the user news

#grep -i news /etc/passwd

Check the /tmp directory for any suspicious files

#ls -al /etc/tmp

Check the process tree and find if there are any suspicious process

#ps aux --forest

Check for any established connections

#netstat -plan

 

[connorlong]

RE: Have I been Hacked (Part 1)

Thank you for your response. I have now run those checks as you requested. On inspection, I can not see anything out of the ordinary. The results are below (Part 1).

Thanks again for your time.


#grep -i news /etc/passwd
Result: news:x:0:0:news:/etc/news:/bin/bash


#ls -al /etc/tmp
Result: /bin/ls: /etc/tmp: No such file or directory


#ps aux --forest
Result:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 3432 460 ? S 10:06 0:01 init [3]
root 2 0.0 0.0 0 0 ? SWN 10:06 0:00 [ksoftirqd/0]
root 3 0.0 0.0 0 0 ? SW< 10:06 0:00 [events/0]
root 4 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [khelper]
root 16 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [kacpid]
root 96 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [kblockd/0]
root 158 0.0 0.0 0 0 ? SW 10:06 0:00 \_ [pdflush]
root 159 0.0 0.0 0 0 ? SW 10:06 0:00 \_ [pdflush]
root 161 0.0 0.0 0 0 ? SW< 10:06 0:00 \_ [aio/0]
root 104 0.0 0.0 0 0 ? SW 10:06 0:00 [khubd]
root 160 0.0 0.0 0 0 ? SW 10:06 0:00 [kswapd0]
root 254 0.0 0.0 0 0 ? SW 10:06 0:00 [kseriod]
root 445 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1104 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1105 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1106 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1107 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1108 0.0 0.0 0 0 ? SW 10:06 0:00 [kjournald]
root 1994 0.0 0.1 2972 572 ? S 10:07 0:00 syslogd -m 0
root 1998 0.0 0.0 2440 444 ? S 10:07 0:00 klogd -x
root 2041 0.0 0.1 3380 560 ? S 10:07 0:00 rpc.idmapd
root 2120 0.0 0.1 2772 744 ? S 10:07 0:00 /usr/sbin/smartd
root 2129 0.0 0.0 2140 460 ? S 10:07 0:00 /usr/sbin/acpid
named 2139 0.0 0.7 37768 3860 ? S 10:07 0:02 /usr/sbin/named -u named
root 2167 0.0 0.2 5192 1296 tty8 S 10:07 0:00 /bin/bash
root 2233 0.0 0.2 4464 1452 ? S 10:07 0:00 /usr/sbin/sshd
root 8886 0.0 0.4 8292 2232 ? S 11:34 0:00 \_ sshd: root@pts/0
root 8907 0.1 0.2 4444 1380 pts/0 S 11:34 0:00 \_ -bash
root 9603 0.0 0.1 3196 748 pts/0 R 11:44 0:00 \_ ps aux --forest
root 2246 0.0 0.1 3356 828 ? S 10:07 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 2264 0.0 1.9 14792 9788 ? S 10:07 0:00 chkservd
mailnull 2338 0.0 0.3 7536 1668 ? S 10:07 0:00 /usr/sbin/exim -bd -q60m
mailnull 8109 0.0 0.8 8488 4176 ? S 11:21 0:00 \_ /usr/sbin/exim -bd -q60m
mailnull 9103 0.0 0.6 8344 3452 ? S 11:36 0:00 \_ /usr/sbin/exim -bd -q60m
mailnull 2343 0.0 0.3 7520 1612 ? S 10:07 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
root 2348 0.1 0.3 5436 1676 ? S 10:07 0:10 antirelayd
root 2359 1.3 3.0 48604 15688 ? S 10:07 1:16 /usr/sbin/clamd
root 2361 0.0 5.1 28272 26056 ? S 10:07 0:02 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/sp
root 2482 1.0 6.2 34004 31820 ? S 10:07 0:58 \_ spamd child
root 2488 0.0 5.4 30036 27788 ? S 10:07 0:03 \_ spamd child
root 2384 0.0 1.5 16272 7900 ? S 10:07 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 2428 0.1 3.8 27480 19680 ? S 10:07 0:10 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2429 0.1 3.8 27476 19740 ? S 10:07 0:09 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2430 0.1 3.9 28084 20248 ? S 10:07 0:10 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2431 0.1 3.8 27448 19652 ? S 10:07 0:11 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2432 0.2 3.9 27900 19940 ? S 10:07 0:16 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2670 0.2 3.9 27892 20052 ? S 10:07 0:15 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2706 0.0 3.1 24164 16204 ? S 10:08 0:05 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2716 0.1 4.0 28724 20824 ? S 10:08 0:09 \_ /usr/local/apache/bin/httpd -DSSL
nobody 2717 0.1 3.2 24224 16524 ? S 10:08 0:06 \_ /usr/local/apache/bin/httpd -DSSL
nobody 4580 0.1 3.2 24296 16428 ? S 10:29 0:06 \_ /usr/local/apache/bin/httpd -DSSL
root 2400 0.0 0.1 2776 644 ? S 10:07 0:00 crond
root 2418 0.0 0.2 4884 1168 ? S 10:07 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-fil
mysql 2468 0.2 3.8 107520 19536 ? S 10:07 0:15 \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --use
mailnull 2641 0.0 1.2 10896 6496 ? S 10:07 0:00 eximstats
root 2691 0.0 0.3 7140 1752 ? S 10:08 0:00 pure-ftpd (SERVER)
root 2696 0.0 0.1 6172 636 ? S 10:08 0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureaut
root 2709 0.0 1.6 11932 8380 ? SN 10:08 0:03 cpanellogd - sleeping for logs
root 2755 0.0 2.2 13972 11356 ? S 10:08 0:02 cppop - accepting on port 110 and 995
dunbarc 9599 2.0 2.2 13992 11404 ? S 11:44 0:00 \_ cppop - serving 165.146.229.49 - TRANSACTION - garth@dunbar
root 9600 0.0 2.2 13980 11368 ? S 11:44 0:00 \_ cppop - serving 165.146.196.61 - AUTHORIZATION
inkprint 9601 4.0 2.2 13992 11404 ? S 11:44 0:00 \_ cppop - serving 66.110.111.170 - TRANSACTION - sales@ink-an
brookesh 9602 4.0 2.2 13992 11408 ? S 11:44 0:00 \_ cppop - serving 66.110.74.174 - TRANSACTION - toni@brookesh
nobody 2762 0.0 0.5 5724 2860 ? S 10:08 0:00 entropychat
root 2763 0.0 2.9 17580 14804 ? S 10:08 0:00 cpsrvd - waiting for connections
nobody 2772 0.0 0.1 1688 560 ? S 10:08 0:00 /usr/local/cpanel/bin/startmelange
cpanel 2824 0.0 0.3 4536 1664 ? S 10:08 0:00 /usr/bin/stunnel-4.15local /usr/local/cpanel/etc/stunnel/defaul
dbus 2852 0.0 0.1 2240 808 ? S 10:08 0:00 dbus-daemon-1 --system
root 2907 0.0 0.0 1492 468 ? S 10:08 0:00 /usr/sbin/portsentry -tcp
postgres 2946 0.0 0.3 19356 2000 ? S 10:08 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres 2954 0.0 0.3 10156 1788 ? S 10:08 0:00 \_ postgres: stats buffer process
postgres 2955 0.0 0.3 9164 1824 ? S 10:08 0:00 \_ postgres: stats collector process
root 2957 0.0 0.0 1600 324 ? S 10:08 0:00 mdadm --monitor --scan
root 2964 0.0 0.0 3300 340 tty1 S 10:08 0:00 /sbin/mingetty tty1
root 2965 0.0 0.0 2168 344 tty2 S 10:08 0:00 /sbin/mingetty tty2
root 2966 0.0 0.0 2900 344 tty3 S 10:08 0:00 /sbin/mingetty tty3
root 2967 0.0 0.0 1740 344 tty4 S 10:08 0:00 /sbin/mingetty tty4
root 2968 0.0 0.0 2216 344 tty5 S 10:08 0:00 /sbin/mingetty tty5
root 2969 0.0 0.0 1656 344 tty6 S 10:08 0:00 /sbin/mingetty tty6

 

[connorlong]

RE: Have I been Hacked (Part 2)

#netstat -plan
Result:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN 2907/portsentry
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2824/stunnel-4.15lo
tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN 2763/cpsrvd - waiti
tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN 2763/cpsrvd - waiti
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2755/cppop - accept
tcp 0 0 0.0.0.0:2084 0.0.0.0:* LISTEN 2762/entropychat
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN 2763/cpsrvd - waiti
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN 2763/cpsrvd - waiti
tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN 2772/startmelange
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2468/mysqld
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2755/cppop - accept
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2907/portsentry
tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN 2763/cpsrvd - waiti
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 2361/spamd.pid --ma
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2246/xinetd
tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN 2763/cpsrvd - waiti
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2384/httpd
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2343/exim
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2691/pure-ftpd (SER
tcp 0 0 65.75.137.33:53 0.0.0.0:* LISTEN 2139/named
tcp 0 0 65.75.137.32:53 0.0.0.0:* LISTEN 2139/named
tcp 0 0 65.75.137.31:53 0.0.0.0:* LISTEN 2139/named
tcp 0 0 65.75.137.30:53 0.0.0.0:* LISTEN 2139/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2139/named
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2338/exim
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2139/named
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2384/httpd
tcp 0 0 65.75.137.30:80 198.54.202.254:43617 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.165.245.119:3711 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:42216 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43626 TIME_WAIT -
tcp 0 91476 65.75.137.30:110 165.165.245.119:3063 ESTABLISHED 9606/cppop - servin
tcp 0 0 127.0.0.1:33631 127.0.0.1:783 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.223.38:10789 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43635 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.145.31.120:1400 TIME_WAIT -
tcp 0 0 65.75.137.30:25 130.95.128.61:49965 ESTABLISHED 9691/exim
tcp 0 0 65.75.137.30:80 198.54.202.254:43634 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:42610 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.165.224.57:2550 TIME_WAIT -
tcp 0 78 65.75.137.30:25 165.165.245.119:4972 FIN_WAIT1 -
tcp 0 0 65.75.137.30:110 66.110.74.174:3376 TIME_WAIT -
tcp 0 0 65.75.137.30:110 66.110.74.174:3378 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43645 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.145.25.52:2941 TIME_WAIT -
tcp 0 0 127.0.0.1:80 127.0.0.1:33634 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43650 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.234.183:1871 TIME_WAIT -
tcp 0 0 127.0.0.1:783 127.0.0.1:33632 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43652 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43654 ESTABLISHED 9670/httpd
tcp 0 0 65.75.137.30:110 165.145.25.52:2829 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43663 ESTABLISHED 9672/httpd
tcp 0 0 65.75.137.30:80 198.54.202.254:43599 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:42577 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.229.49:30056 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.229.49:30057 TIME_WAIT -
tcp 0 0 65.75.137.30:25 165.165.245.119:1038 ESTABLISHED 9103/exim
tcp 0 0 65.75.137.30:80 198.54.202.254:43606 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.196.61:1358 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.196.61:1356 TIME_WAIT -
tcp 0 0 65.75.137.30:80 198.54.202.254:43610 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.229.49:30055 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.196.61:1354 TIME_WAIT -
tcp 0 0 65.75.137.30:110 66.110.111.170:1973 TIME_WAIT -
tcp 0 0 65.75.137.30:110 165.146.234.183:1298 TIME_WAIT -
tcp 0 0 65.75.137.30:25 196.41.186.42:59290 ESTABLISHED 8109/exim
tcp 0 0 :::21 :::* LISTEN 2691/pure-ftpd (SER
tcp 0 0 :::22 :::* LISTEN 2233/sshd
tcp 0 10216 ::ffff:65.75.137.30:22 ::ffff:165.165.241:2021 ESTABLISHED 8886/0
udp 0 0 0.0.0.0:32768 0.0.0.0:* 2139/named
udp 0 0 127.0.0.1:32771 127.0.0.1:32771 ESTABLISHED 2946/postmaster
udp 0 0 65.75.137.33:53 0.0.0.0:* 2139/named
udp 0 0 65.75.137.32:53 0.0.0.0:* 2139/named
udp 0 0 65.75.137.31:53 0.0.0.0:* 2139/named
udp 0 0 65.75.137.30:53 0.0.0.0:* 2139/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2139/named
udp 0 0 :::32769 :::* 2139/named
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 3311 2359/clamd /var/clamd
unix 2 [ ACC ] STREAM LISTENING 2615 2129/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 5170 2946/postmaster /tmp/.s.PGSQL.5432
unix 10 [ ] DGRAM 2404 1994/syslogd /dev/log
unix 2 [ ACC ] STREAM LISTENING 4362 2696/pure-authd /var/run/ftpd.sock
unix 2 [ ACC ] STREAM LISTENING 5023 2852/dbus-daemon-1 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 3711 2468/mysqld /var/lib/mysql/mysql.sock
unix 2 [ ] DGRAM 46965 9606/cppop - servin
unix 2 [ ] DGRAM 4973 2824/stunnel-4.15lo
unix 2 [ ] DGRAM 4336 2691/pure-ftpd (SER
unix 3 [ ] STREAM CONNECTED 4153 2468/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 4152 2641/eximstats
unix 3 [ ] STREAM CONNECTED 3741 2488/spamd child
unix 3 [ ] STREAM CONNECTED 3740 2361/spamd.pid --ma
unix 3 [ ] STREAM CONNECTED 3728 2482/spamd child
unix 3 [ ] STREAM CONNECTED 3727 2361/spamd.pid --ma
unix 2 [ ] DGRAM 3459 2400/crond
unix 2 [ ] DGRAM 3308 2361/spamd.pid --ma
unix 2 [ ] DGRAM 2780 2246/xinetd
unix 2 [ ] DGRAM 2649 2139/named
unix 2 [ ] DGRAM 2412 1998/klogd

 

[BlueZebra]

> Result: news:x:0:0:news:/etc/news:/bin/bash

Shows that the user news is having gid and uid 0 thus have all root privileges and has also got full shell access.

>#ls -al /etc/tmp was a mistake it was meant to be /tmp

 

[mctDarren]

Its possibly a kernel exploit. Check your /tmp or /var/tmp directories for a bad script. You probably have a cron job that runs them in place too so check cron.

 

[connorlong]

Its possibly a kernel exploit. Check your /tmp or /var/tmp directories for a bad script. You probably have a cron job that runs them in place too so check cron.

How would I know what can be deleted in the tmp folders? As for the Kernel. I believe it has been updated to the latest.....

 

[connorlong]

Hacked

> Result: news:x:0:0:news:/etc/news:/bin/bash

Shows that the user news is having gid and uid 0 thus have all root privileges and has also got full shell access.

>#ls -al /etc/tmp was a mistake it was meant to be /tmp

Is it possible to delete the USER News?

 

[yapluka]

Is it possible to delete the USER News?

If there is no cpanel account for this user, in SSH, type :
userdel news

 

[dgbaker]

The minute you have an ID like with full root privledges the server can no longer be trusted to be safe and secure. Ideally you should re-OS the machine and restore accounts from backup. Failing that you should at the very very least hire someone that can do a full security sweep of the server and try to secure it. Personally though, you would be better of re-OSing as you now have no idea what has been done elsewhere on the server.

 

[connorlong]

Hacked

The minute you have an ID like with full root privledges the server can no longer be trusted to be safe and secure. Ideally you should re-OS the machine and restore accounts from backup. Failing that you should at the very very least hire someone that can do a full security sweep of the server and try to secure it. Personally though, you would be better of re-OSing as you now have no idea what has been done elsewhere on the server.

Hi and thanks for the response. I think / believe I have found the source. A script was run that create a Group called add user. This then created a user called Sky, which failed. A user called News was created. This was successful! I have deleted the 2 user accounts (Thanks to the post above). Should I delete the Group?

I have no idea what damage if any has been caused. You are right about the Re-install. Is there any good docs on doing this?

Thanks again.

 

[nettigritty]

this should do..

http://forums.ev1servers.net/showthread.php?t=38797&highlight=hacked+restore

 

[hamper]

#ps aux --forest

what does this mean if it is showing?

 

[jayh38]

Its just showing a tree process list of the parent and child processes run under it.