Root send sensitive Email to hacker

[nocser]

Hi friend

I found 1 of my server automatic sending sensitive information (password and unsername) to hacker. Below is the Email in mail queue waiting for send. The body of the Email contain many URL, user name and password.

Any idea how to remove the exploit. I have tried to many way none of it work.

Thanks in advance

=============================
1161713089 0
-ident root
-received_protocol local
-body_linecount 1424
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

152P Received: from root by server.mydomainname.com with local (Exim 4.52)
id 1GcQdt-0006U7-To
for [email protected]; Wed, 25 Oct 2006 04:04:50 +1000
025T To: [email protected]
035 Subject: server.mydomainname.com
058I Message-Id:
044F From: root
038 Date: Wed, 25 Oct 2006 04:04:49 +1000
===============================



Today exim_mainlog got this log entry
================================
2006-10-26 04:03:16 1Gcn5v-0005PQ-Nd => [email protected] R=lookuphost
T=remote_smtp H=mx1.mail.yahoo.com [67.28.113.71]

2006-10-26 04:03:16 1Gcn5v-0005PQ-Nd Completed
================================

 

[nocser]

Hi all Cpanel guy no one willing help?

 

[chilihost]

have you scanned your server for rootkits? have you checked your sites for vulnerable php scripts? have you checked your tmp directories and secured them? it sounds like the hacker got access to your server and setup some automated tool, possibly a rootkit.

 

[nocser]

Hi Chilihost I am glad finally someone reply to this tread. All the action below was taken and still have the same Email sending out.

RKhunter 1.2.8 updated yesterday scan seem all clear except /bin/kill
It was MD5 fail, but I think it is bacause uf update problem.

/scripts/tmp was run since the box out. Resecure it again yesterday.

This scripts was also ran. All the suspected files in the exploit.txt was removed.
=======================
sh
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls
-loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " |
grep -E "^$|^/|/$|*$|.pl$" | tee exploits.txt; done; echo -e "nnPossible
Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr
-d ' '`" | tee -a exploits.txt
exit
=======================

Any idea?

 

[nocser]

The worst is, I am receiving complain telling me that this server is atempt to attack others host.

 

[mickalo]

have you scanned your server for rootkits? have you checked your sites for vulnerable php scripts? have you checked your tmp directories and secured them? it sounds like the hacker got access to your server and setup some automated tool, possibly a rootkit.

do you know of a good rootkit scanner that works on Centos 3.8 ?

Mickalo

 

[chirpy]

The worst is, I am receiving complain telling me that this server is atempt to attack others host.

If someone has been able to modify the root accounts forwarder then you've likely had a root compromise and should backup all your user data and have the OS disk wiped clean and a new OS installed then restore all the cPanel accounts and the secure your server more effectively. You cannot realistically clean a server once you've suffered a root compromise - which is what appears to have happened here.

 

[nocser]

If someone has been able to modify the root accounts forwarder then you've likely had a root compromise and should backup all your user data and have the OS disk wiped clean and a new OS installed then restore all the cPanel accounts and the secure your server more effectively. You cannot realistically clean a server once you've suffered a root compromise - which is what appears to have happened here.

If I were reimage the server and restore the backup that done by WHM in the second HDD secure? I mean will the backup file infected as well?

 

[chirpy]

It can't be infected in the sense of a windows virus, no. You might end up restoring the account that the hacker comrpomised, but that's why you need to better secure the server before restoring accounts. While hackers can often easily compromise end-user scripts you ought to be able to secure the server in most instances against root compromise.