Root send sensitive Email to hacker

nocser

Member
Jan 13, 2006
10
0
151
Hi friend

I found 1 of my server automatic sending sensitive information (password and unsername) to hacker. Below is the Email in mail queue waiting for send. The body of the Email contain many URL, user name and password.

Any idea how to remove the exploit. I have tried to many way none of it work.

Thanks in advance

=============================
1161713089 0
-ident root
-received_protocol local
-body_linecount 1424
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

152P Received: from root by server.mydomainname.com with local (Exim 4.52)
id 1GcQdt-0006U7-To
for [email protected]; Wed, 25 Oct 2006 04:04:50 +1000
025T To: [email protected]
035 Subject: server.mydomainname.com
058I Message-Id:
044F From: root
038 Date: Wed, 25 Oct 2006 04:04:49 +1000
===============================



Today exim_mainlog got this log entry
================================
2006-10-26 04:03:16 1Gcn5v-0005PQ-Nd => [email protected] R=lookuphost
T=remote_smtp H=mx1.mail.yahoo.com [67.28.113.71]

2006-10-26 04:03:16 1Gcn5v-0005PQ-Nd Completed
================================
 

chilihost

Well-Known Member
Mar 1, 2005
72
0
156
have you scanned your server for rootkits? have you checked your sites for vulnerable php scripts? have you checked your tmp directories and secured them? it sounds like the hacker got access to your server and setup some automated tool, possibly a rootkit.
 

nocser

Member
Jan 13, 2006
10
0
151
Hi Chilihost I am glad finally someone reply to this tread. All the action below was taken and still have the same Email sending out.

RKhunter 1.2.8 updated yesterday scan seem all clear except /bin/kill
It was MD5 fail, but I think it is bacause uf update problem.

/scripts/tmp was run since the box out. Resecure it again yesterday.

This scripts was also ran. All the suspected files in the exploit.txt was removed.
=======================
sh
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls
-loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " |
grep -E "^$|^/|/$|*$|.pl$" | tee exploits.txt; done; echo -e "nnPossible
Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr
-d ' '`" | tee -a exploits.txt
exit
=======================

Any idea?
 

nocser

Member
Jan 13, 2006
10
0
151
The worst is, I am receiving complain telling me that this server is atempt to attack others host.
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
have you scanned your server for rootkits? have you checked your sites for vulnerable php scripts? have you checked your tmp directories and secured them? it sounds like the hacker got access to your server and setup some automated tool, possibly a rootkit.
do you know of a good rootkit scanner that works on Centos 3.8 ?

Mickalo
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
The worst is, I am receiving complain telling me that this server is atempt to attack others host.
If someone has been able to modify the root accounts forwarder then you've likely had a root compromise and should backup all your user data and have the OS disk wiped clean and a new OS installed then restore all the cPanel accounts and the secure your server more effectively. You cannot realistically clean a server once you've suffered a root compromise - which is what appears to have happened here.
 

nocser

Member
Jan 13, 2006
10
0
151
If someone has been able to modify the root accounts forwarder then you've likely had a root compromise and should backup all your user data and have the OS disk wiped clean and a new OS installed then restore all the cPanel accounts and the secure your server more effectively. You cannot realistically clean a server once you've suffered a root compromise - which is what appears to have happened here.
If I were reimage the server and restore the backup that done by WHM in the second HDD secure? I mean will the backup file infected as well?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
It can't be infected in the sense of a windows virus, no. You might end up restoring the account that the hacker comrpomised, but that's why you need to better secure the server before restoring accounts. While hackers can often easily compromise end-user scripts you ought to be able to secure the server in most instances against root compromise.