Re: [ilugd] Server is hacked, pl. advice
On Fri, Dec 03, 2010 at 02:52:51PM +, Karanbir Singh wrote: On 12/03/2010 06:26 AM, abhishek jain wrote: can anyone here suggest me what should i do, i am not sure how user1 logged into server, further what does the command perl udp.pl 92.114.6.32 0 22 mean which eats up 99.7% of CPU . You have already had a lot of good advice here, I'll add a few more things : - backup you data, and only your data Oh and one more thing. If your VPS hosts applications which store passwords of users, and if you suspect that the cracker got a shell (in this case, it looks certain) make sure that you let your users know that their passwords may have been compromised. Some applications (I think even mailman was some years back) don't use one way hashes for storing passwords (ostensibly to helpfully send these passwords back to the user when they forget their password). If a person got shell on the account, then he could have easily taken a look around and picked up all the passwords he could find. Some of these are worth quite a few $$$ in the market. Difficult decision, yes. Many clients might not take it as an example of genuine concern for their own sake (which it is) and scram to a competitor with less scruples. - Sandip ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
On Sat, Dec 11, 2010 at 11:41 AM, Aman Thakur aman.thakur.1...@gmail.com wrote: So just backup you data, only data and reinstall your system. And update your system with the latest security updates. Even if you succeed fixing this system, even then there are chances for the system to be compromised once again. Because it may be possible that attacker may have generated a vulnerability into the system. So, reinstall is the best way to ensure the security and is a permanent fix. Thats the only way to secure your system. And i hope you must be having a good idea about the rootkits now.:) One can also use tripwire or aide after OS install and each updates; keep the signature db file on a ro media. Comparing the system against the db file will tell you the files that do not match. Depending on the magnitude of the compromise, the admin can repair the package(s) or reinstall. -- Arun Khan ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
Hi abhishek, I agree with the guys who are supporting a reinstall here. Even my linux (RHEL 5.5) Virtual machine was compromised once because i didn't updated it regularly. Someone gained root access to my machine. I tried so many things at that time. But finally there was only one solution and that is reinstall. So just backup you data, only data and reinstall your system. And update your system with the latest security updates. Even if you succeed fixing this system, even then there are chances for the system to be compromised once again. Because it may be possible that attacker may have generated a vulnerability into the system. So, reinstall is the best way to ensure the security and is a permanent fix. Thats the only way to secure your system. And i hope you must be having a good idea about the rootkits now.:) Regards Aman Thakur ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
hi, This is christmas / season time and clean install is not possible as there will be downtime, i will have to wait for this until mid jan, On Tue, Dec 7, 2010 at 10:11 PM, Ravi Kumar ra2...@gmail.com wrote: Because we cannot remember the state of files, and cannot be 100% sure that no rootkit or other exploits is left in some corner of server. what is* root kit*? please clarify, may be i need to check my server manually each suspected file, we can re-install the whole linux if we want. This is not a compulsion, but an advice to have a clean install. -=Ravi=- thanks abhishek ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
On Wed, Dec 8, 2010 at 3:17 PM, abhishek jain abhishek.netj...@gmail.com wrote: hi, This is christmas / season time and clean install is not possible as there will be downtime, i will have to wait for this until mid jan, On Tue, Dec 7, 2010 at 10:11 PM, Ravi Kumar ra2...@gmail.com wrote: Because we cannot remember the state of files, and cannot be 100% sure that no rootkit or other exploits is left in some corner of server. what is* root kit*? please clarify, may be i need to check my server manually each suspected file, Hmmm If you are not aware of root kits and other similar things, better reinstall the server RIGHT NOW. Even Christmas time will be too late. A few hours of downtime for technical reasons is usually acceptable for all(management and users). -Sudhanwa we can re-install the whole linux if we want. This is not a compulsion, but an advice to have a clean install. -=Ravi=- thanks abhishek ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd -- ~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~! www.projects4students.com ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
well if you cant afford to have a down time you need to do few more thing then what other gurus have said like below : - 1) set up logwatch to have full server log for any traffic 2) get CSF ( config server firewall ) and install as it s having plugin for both Cpanel Webmin 3) now root kits are scary specially if they have put some kernel root kit so you need to monitor what all ports are opened and what kind of traffic is going out again CSF is very good at that. 4) Disable FTP server at all 5) Allow only sftp connections 6) Disable the shell access to all of the users on server 7) Disable Sudo 8) Disable root access 9) change ssh port 10) get the latest kernel and install it from source and boot server on that kernel until you do a reinstall Regards On 12/8/2010 3:57 PM, Sudhanwa Jogalekar wrote: On Wed, Dec 8, 2010 at 3:17 PM, abhishek jain abhishek.netj...@gmail.com wrote: hi, This is christmas / season time and clean install is not possible as there will be downtime, i will have to wait for this until mid jan, On Tue, Dec 7, 2010 at 10:11 PM, Ravi Kumarra2...@gmail.com wrote: Because we cannot remember the state of files, and cannot be 100% sure that no rootkit or other exploits is left in some corner of server. what is* root kit*? please clarify, may be i need to check my server manually each suspected file, Hmmm If you are not aware of root kits and other similar things, better reinstall the server RIGHT NOW. Even Christmas time will be too late. A few hours of downtime for technical reasons is usually acceptable for all(management and users). -Sudhanwa we can re-install the whole linux if we want. This is not a compulsion, but an advice to have a clean install. -=Ravi=- thanks abhishek ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
Well thanks for all the replies. I face only some other hardware or software problems on linux till now. So i was thinking that idea of reinstall is strange. On Dec 8, 2010 10:49 AM, jeet7668 . jeet7...@sify.com wrote: Hi Kuldeep, I totally agree with Sudhwna that its easier to reinstall then to struggle hard to clean the the system but for any reason if you cannot re-install and u have to fix the same one then you can use some tools like ballistic and others to judge the current state and try to find out the rootkits but again you will always be in doubt of having some malicious things remaining on system. On Tue, Dec 7, 2010 at 11:47 PM, Sudhanwa Jogalekar sudhanwa@gmail.com wrote: Dear Kuld... Satyajeet Singh (Martin) (Linux Corporate Trainer) Koenig-Solutions Pvt Ltd (www.koenig-solutions.com) 09911547664 ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
Hi mr raj mathur, Im just very new to linux, so please dont mind about my question. But reinstall of linux in case of hack dont look very good solution. Even in case of windows we first try to recover system not to reinstall. Then how can be justified to reinstall linux system in case of hack like that? On Dec 3, 2010 8:25 PM, Karanbir Singh mail-li...@karan.org wrote: On 12/03/2010 06:26 AM, abhishek jain wrote: can anyone here suggest me what should i do, i am... You have already had a lot of good advice here, I'll add a few more things : - backup you data, and only your data - backup anything else you might want from the machine, but in a different place to your data - Call and speak to the hosting company - make sure they understand its security issue, and treat it with a high priority; Make sure they know what your level of linux competence is and how you can help them. - Insist on a new VM being installed for you. Dont try and clean this one up, just get your data and make sure its destoyed - Take steps to make sure this does not happen again :) All the best. - KB ___ Ilugd mailing list Ilugd@lists.linux-delhi.org htt... ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
Because we cannot remember the state of files, and cannot be 100% sure that no rootkit or other exploits is left in some corner of server. we can re-install the whole linux if we want. This is not a compulsion, but an advice to have a clean install. -=Ravi=- On Tue, Dec 7, 2010 at 9:40 PM, kuldeep kamboj kuldeepk1...@gmail.comwrote: Hi mr raj mathur, Im just very new to linux, so please dont mind about my question. But reinstall of linux in case of hack dont look very good solution. Even in case of windows we first try to recover system not to reinstall. Then how can be justified to reinstall linux system in case of hack like that? On Dec 3, 2010 8:25 PM, Karanbir Singh mail-li...@karan.org wrote: On 12/03/2010 06:26 AM, abhishek jain wrote: can anyone here suggest me what should i do, i am... You have already had a lot of good advice here, I'll add a few more things : - backup you data, and only your data - backup anything else you might want from the machine, but in a different place to your data - Call and speak to the hosting company - make sure they understand its security issue, and treat it with a high priority; Make sure they know what your level of linux competence is and how you can help them. - Insist on a new VM being installed for you. Dont try and clean this one up, just get your data and make sure its destoyed - Take steps to make sure this does not happen again :) All the best. - KB ___ Ilugd mailing list Ilugd@lists.linux-delhi.org htt... ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
Dear Kuldeep, Starting with a clean OS is always better. You are sure about the things you have installed and working for you. In the current scenario where there are many things running without authorization, there could be some traces of the same even if those things are stopped, cleaned. Moreover, something might be running (or execute later on some time) without your knowledge and doing some damage to somewhere else and you are to be blamed for it and go behind the bars!! As they say, prevention is better than cure !!! -Sudhanwa On Tue, Dec 7, 2010 at 9:40 PM, kuldeep kamboj kuldeepk1...@gmail.com wrote: Hi mr raj mathur, Im just very new to linux, so please dont mind about my question. But reinstall of linux in case of hack dont look very good solution. Even in case of windows we first try to recover system not to reinstall. Then how can be justified to reinstall linux system in case of hack like that? On Dec 3, 2010 8:25 PM, Karanbir Singh mail-li...@karan.org wrote: On 12/03/2010 06:26 AM, abhishek jain wrote: can anyone here suggest me what should i do, i am... You have already had a lot of good advice here, I'll add a few more things : - backup you data, and only your data - backup anything else you might want from the machine, but in a different place to your data - Call and speak to the hosting company - make sure they understand its security issue, and treat it with a high priority; Make sure they know what your level of linux competence is and how you can help them. - Insist on a new VM being installed for you. Dont try and clean this one up, just get your data and make sure its destoyed - Take steps to make sure this does not happen again :) All the best. - KB ___ Ilugd mailing list Ilugd@lists.linux-delhi.org htt... ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd -- ~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~! www.projects4students.com ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
Hi Kuldeep, I totally agree with Sudhwna that its easier to reinstall then to struggle hard to clean the the system but for any reason if you cannot re-install and u have to fix the same one then you can use some tools like ballistic and others to judge the current state and try to find out the rootkits but again you will always be in doubt of having some malicious things remaining on system. On Tue, Dec 7, 2010 at 11:47 PM, Sudhanwa Jogalekar sudhanwa@gmail.comwrote: Dear Kuldeep, Starting with a clean OS is always better. You are sure about the things you have installed and working for you. In the current scenario where there are many things running without authorization, there could be some traces of the same even if those things are stopped, cleaned. Moreover, something might be running (or execute later on some time) without your knowledge and doing some damage to somewhere else and you are to be blamed for it and go behind the bars!! As they say, prevention is better than cure !!! -Sudhanwa On Tue, Dec 7, 2010 at 9:40 PM, kuldeep kamboj kuldeepk1...@gmail.com wrote: Hi mr raj mathur, Im just very new to linux, so please dont mind about my question. But reinstall of linux in case of hack dont look very good solution. Even in case of windows we first try to recover system not to reinstall. Then how can be justified to reinstall linux system in case of hack like that? On Dec 3, 2010 8:25 PM, Karanbir Singh mail-li...@karan.org wrote: On 12/03/2010 06:26 AM, abhishek jain wrote: can anyone here suggest me what should i do, i am... You have already had a lot of good advice here, I'll add a few more things : - backup you data, and only your data - backup anything else you might want from the machine, but in a different place to your data - Call and speak to the hosting company - make sure they understand its security issue, and treat it with a high priority; Make sure they know what your level of linux competence is and how you can help them. - Insist on a new VM being installed for you. Dont try and clean this one up, just get your data and make sure its destoyed - Take steps to make sure this does not happen again :) All the best. - KB ___ Ilugd mailing list Ilugd@lists.linux-delhi.org htt... ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd -- ~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~! www.projects4students.com ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd -- Satyajeet Singh (Martin) (Linux Corporate Trainer) Koenig-Solutions Pvt Ltd (www.koenig-solutions.com) 09911547664 ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
I today noticed my VPS was running too slow, then i logged into root , and found a lot of load on it ( 240 ). I did a ps -ef and a lot of process were running, a lot of them were user1 23771 1 0 15:36 pts/0 00:00:02 ./atack 800 Also in WHM i see a process user1 99.7 perl udp.pl 92.114.6.32 0 22 can anyone here suggest me what should i do, i am not sure how user1 logged into server, further what does the command perl udp.pl 92.114.6.32 0 22 mean which eats up 99.7% of CPU . Disconnect it from network and then do any investigation. Must use a different server for the function this one was doing as this should be formatted and rebuilt. ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
On Friday 03 Dec 2010, abhishek jain wrote: hi friends, I today noticed my VPS was running too slow, then i logged into root , and found a lot of load on it ( 240 ). I did a ps -ef and a lot of process were running, a lot of them were user1 23771 1 0 15:36 pts/000:00:02 ./atack 800 Also in WHM i see a process user1 99.7 perl udp.pl 92.114.6.32 0 22 can anyone here suggest me what should i do, i am not sure how user1 logged into server, further what does the command perl udp.pl 92.114.6.32 0 22 mean which eats up 99.7% of CPU . Apart from all the advice others have given you (use updated packages, switch off unwanted services, etc), do a fresh reinstall of Linux on this VM. Once a (virtual) machine has been compromised, it's nearly impossible to be 100% sure that you have cleaned it up unless you're a real Linux/Unix dada with hundreds of years of experience. Rootkits can leave their components lying around anywhere in your system, and you can never be sure that you have managed to purge the whole worm. Reinstall, reinstall, reinstall. Regards, -- Raj -- Raj Mathurr...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
On 12/03/2010 06:26 AM, abhishek jain wrote: can anyone here suggest me what should i do, i am not sure how user1 logged into server, further what does the command perl udp.pl 92.114.6.32 0 22 mean which eats up 99.7% of CPU . You have already had a lot of good advice here, I'll add a few more things : - backup you data, and only your data - backup anything else you might want from the machine, but in a different place to your data - Call and speak to the hosting company - make sure they understand its security issue, and treat it with a high priority; Make sure they know what your level of linux competence is and how you can help them. - Insist on a new VM being installed for you. Dont try and clean this one up, just get your data and make sure its destoyed - Take steps to make sure this does not happen again :) All the best. - KB ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
[ilugd] Server is hacked, pl. advice
hi friends, I today noticed my VPS was running too slow, then i logged into root , and found a lot of load on it ( 240 ). I did a ps -ef and a lot of process were running, a lot of them were user1 23771 1 0 15:36 pts/000:00:02 ./atack 800 Also in WHM i see a process user1 99.7 perl udp.pl 92.114.6.32 0 22 can anyone here suggest me what should i do, i am not sure how user1 logged into server, further what does the command perl udp.pl 92.114.6.32 0 22 mean which eats up 99.7% of CPU . -- Thanks and kind Regards, Abhishek jain +91 9971376767 ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
hi, kill all the process by user1, delete user1 if possible or change its password and check the users home directory if their is some script found and check its contents and see where all it has made changes. Warm Regards, Anshul Chauhan Never expect things to happen struggle make them happen Never expect yourself to be given a good value Create a value for your own.. On Fri, Dec 3, 2010 at 11:56 AM, abhishek jain abhishek.netj...@gmail.comwrote: hi friends, I today noticed my VPS was running too slow, then i logged into root , and found a lot of load on it ( 240 ). I did a ps -ef and a lot of process were running, a lot of them were user1 23771 1 0 15:36 pts/000:00:02 ./atack 800 Also in WHM i see a process user1 99.7 perl udp.pl 92.114.6.32 0 22 can anyone here suggest me what should i do, i am not sure how user1 logged into server, further what does the command perl udp.pl 92.114.6.32 0 22 mean which eats up 99.7% of CPU . -- Thanks and kind Regards, Abhishek jain +91 9971376767 ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
On 12/03/2010 11:56 AM, abhishek jain abhishek.netj...@gmail.com wrote: hi friends, I today noticed my VPS was running too slow, then i logged into root , and found a lot of load on it ( 240 ). I did a ps -ef and a lot of process were running, a lot of them were user1 23771 1 0 15:36 pts/000:00:02 ./atack 800 Also in WHM i see a process I think that's the drawback of using control panels such as whm, cpanel etc. They may contain security holes due to which an attacker can gain access on the server. I'm not sure what type of attack this is, but maybe the attacker didn't get access through ssh. What you can do is, check out /tmp directory and if using php then php's tmp directory (/var/lib/php5?) and you may see some perl files which are being executed. If that's the case, then in the short term what you can do is 1. Put noexec privileges on /tmp partition. If /tmp partition is not separate, then maybe you can use dd to create 1 or 2 GB file (depending on the file) and mount it as /tmp with noexec privileges. That way even if the attacker manages to upload the file in the /tmp directory, executing it would be difficult. 2. Shutdown WHM if that's possible, till you identify and resolve the issue. What I'd suggest in the long term is 1. Regularly update your linux installation. That's critical. 2. Update your WHM or whatever control panel is there if they offer updates. If they don't offer updates then switch to a one which offers one. 3. Maybe replace WHM with ISPConfig, though I cannot vouch for the safety of any. 4. Run ssh on a different port or block access if that's possible (allow only to specific IPs via iptables). 5. Update your PHP installation if you're using any. Maybe it's one of your own applications (created by you, or some OSS application that you're using) rather than WHM which is flawed. That will require some significant log analysis of your web server logs. Hope it helps. Regards Vivek Kapoor http://exain.com ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Server is hacked, pl. advice
Hi, On Fri, Dec 3, 2010 at 11:56 AM, abhishek jain abhishek.netj...@gmail.comwrote: hi friends, I today noticed my VPS was running too slow, then i logged into root , and found a lot of load on it ( 240 ). I did a ps -ef and a lot of process were running, a lot of them were user1 23771 1 0 15:36 pts/000:00:02 ./atack 800 Also in WHM i see a process user1 99.7 perl udp.pl 92.114.6.32 0 22 can anyone here suggest me what should i do, i am not sure how user1 logged into server, further what does the command perl udp.pl 92.114.6.32 0 22 mean which eats up 99.7% of CPU . I would suggest you, not to panic and very first thing you need to do is to change the root user1's password(if you really interested to know what this user is trying to do). After changing the passwords, download all the dump of '/var/log/messages/' and analyze. Probability is more that some vulnerable panel attack, but can't say until you have analyzed everything. These command may help you to investigate more $ last $ ps aux |grep pts --to know if someone else is logged in along with you :-) reason being, one may use command like 'ssh r...@victimip-i /bin/bash' to hide himself from command like 'w' or 'who' $ netstat -antp--check out the current established connection or who else is trying to connect you for current time HTH. -- Thanks, Sagar Belure ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd