hello to all...
I've recently asked a reinstall on my server, cause I got chkrooted with Torn8
before and after that chkrooting happened, I was getting several LSM alerts about httpd new listening ports.
After the reinstall, the server has been working clear until now. (I have done everything in the sticky thread "A beginner's guide on securing your server")
However, today I got another LSM alert, saying:
I was away for a while until I saw this message, and when I entered my server, I found the load to be at 2.08 (quite high, I always work around 0.00 to 0.01) and I saw many perl processes running, probably causing the cpu load.
I also got another LSM alert , but this time it was:
I killed all perl processes, I don't know if I did well but the load started to drop at once.
when I looked for open ports, none of the listed above were open anymore.
However, my /tmp directory had suspicious files, such as shell.pl (my antvirus at home defined it as Perl/Shellbot.A), bnc.pid , a file which held the pid 28561 of the httpd process I mentioned above, users.db , a file containing the line : U: Administrador , and some other phpx9rg4 random files.
I'm getting really concerned about this....has someone gained shell access to my server? (yes, huh?)
Any ideas how to prevent this from happening?
Thank you in advance
I've recently asked a reinstall on my server, cause I got chkrooted with Torn8
before and after that chkrooting happened, I was getting several LSM alerts about httpd new listening ports.
After the reinstall, the server has been working clear until now. (I have done everything in the sticky thread "A beginner's guide on securing your server")
However, today I got another LSM alert, saying:
Code:
This is an automated alert generated from whatever.domain.I.have. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.
Following is a summary of new Internet Server Sockets:
> tcp 0 0 0.0.0.0:1330 0.0.0.0:* LISTEN 28567/httpd -DSSL
> tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 28561/httpd -DSSL
Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain SocketsI also got another LSM alert , but this time it was:
Code:
Following is a summary of new Internet Server Sockets:
> tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 8871/inetdwhen I looked for open ports, none of the listed above were open anymore.
However, my /tmp directory had suspicious files, such as shell.pl (my antvirus at home defined it as Perl/Shellbot.A), bnc.pid , a file which held the pid 28561 of the httpd process I mentioned above, users.db , a file containing the line : U: Administrador , and some other phpx9rg4 random files.
I'm getting really concerned about this....has someone gained shell access to my server? (yes, huh?)
Any ideas how to prevent this from happening?
Thank you in advance
Last edited:
