Urgent please (probably hacked)

SebastianC

Active Member
Nov 25, 2003
27
0
151
some strange things are in my RH 9 with Cpanel.

In user list I have a user with name "vadmin"... this user is normal in CPanel or RedHat? (it isn't a user created by me)

Thanks for your help,

Sebastian
 
Last edited:

SebastianC

Active Member
Nov 25, 2003
27
0
151
Ok pguy. The server is compromised:

Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
Checking `lkm'... You have 3 process hidden for ps command
Warning: Possible LKM Trojan installed

Is there any way to fix it, without restore (and lost all the info, and the downtime expected) ?

Thanks in advance for any help....

Sebastian
 

pguy

Well-Known Member
Feb 21, 2003
73
0
156
Depends on what you have on the server, the backups if any etc. Best bet would be a restore of the OS and other data and then getting the backup accounts into the system. Tell me you had a 2nd backup drive plz ! :)
 

SebastianC

Active Member
Nov 25, 2003
27
0
151
No, I don't have a second drive :( but I have other servers, I can make backups and transfer it to another server then restore the data later....

But the problem is with one big site, more than 5Gb just in MySQL data.... and configurations...

when a machine is compromised, nothing can solve the problem without restore the OS ?
 

kris1351

Well-Known Member
Apr 18, 2003
961
0
166
Lewisville, Tx
It is a very good idea to cron run chkrootkit, we run ours every 12 hours on each server we own. This is aggressive, but so have the hack attempts we have seen in the last 6 months. Also, make sure you run /scripts/securetmp as this is an excellent defense mechanism for blocking some hack attempts. If you havent already make sure the new server has APF on it.
 

pguy

Well-Known Member
Feb 21, 2003
73
0
156
Dear Sebastian,

Most of the time the data can be salvaged. However it depends on the intensity and depth of the intrusion. We have had our servers hacked before and we now have level 3 techs working with us just for securing servers.

Drop me a PM. I may be able to help in the salvaging of data.