DA exim hacked

[Netbone]

root 14844 0.0 0.0 7104 1296 ? S Jan17 0:00 /usr/sbin/exim -q
nobody 14845 0.0 0.0 7368 316 ? S Jan17 0:00 /usr/local/directadmin/directadmin d
nobody 14850 0.0 0.0 7368 316 ? S Jan17 0:00 /usr/local/directadmin/directadmin d
root 14862 0.0 0.1 7508 2452 ? S Jan17 0:00 /usr/sbin/exim -q
mail 14863 0.0 0.0 7508 1544 ? S Jan17 0:00 /usr/sbin/exim -q
nobody 14868 0.0 0.0 7368 316 ? S Jan17 0:00 /usr/local/directadmin/directadmin d
nobody 14869 0.0 0.0 7368 316 ? S Jan17 0:00 /usr/local/directadmin/directadmin d


statd 4753 0.0 0.0 1752 744 ? S Jan07 0:00 /sbin/rpc.statd
daemon 4767 0.0 0.0 1828 412 ? S Jan07 0:00 /usr/sbin/atd
root 4774 0.0 0.0 2196 880 ? S Jan07 0:02 /usr/sbin/cron


root 14364 0.0 0.1 7504 2444 ? S Jan17 0:00 /usr/sbin/exim -q
mail 14365 0.0 0.0 7504 1560 ? S Jan17 0:00 /usr/sbin/exim -q
root 14374 0.0 0.1 7508 2488 ? S Jan17 0:00 /usr/sbin/exim -q
mail 14375 0.0 0.0 7508 1620 ? S Jan17 0:00 /usr/sbin/exim -q
root 14392 0.0 0.1 7652 2244 ? S Jan17 0:00 sshd: root@notty
root 14394 0.0 0.0 2628 1276 ? S Jan17 0:00 -bash
root 14638 0.0 0.1 7504 2472 ? S Jan17 0:00 /usr/sbin/exim -q
mail 14639 0.0 0.0 7504 1556 ? S Jan17 0:00 /usr/sbin/exim -q


exim unstopable sending thousends of spam mails from

mxd8.aruba.it.smtp

Rootkit 'SHV4'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------


[Press <ENTER> to continue]

Rootkit 'SHV5'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------


[Press <ENTER> to continue]

tcp 0 0 swisscolo.netbone:36661 212.243.107.243:www TIME_WAIT
tcp 0 0 swisscolo.netbone:49786 paco.netbone-digita:www TIME_WAIT
tcp 0 0 swisscolo.netbone:59178 229-47.5-85.cust.bl:www TIME_WAIT
tcp 0 0 swisscolo.netbone:58718 bplaced.net:www TIME_WAIT

85.5.47.229 is controlling server

 

[scsi]

Guess you should secure your server then.

 

[Netbone]

Fine ... when apt-get update will crash DA depencies ... (see debian thread)

 

[floyd]

So just to be clear exim was not hacked. Your server was hacked. How that was accomplished is still unknown.

when apt-get update will crash DA depencies

You only have to excluded what DirectAdmin installed. Everything else can be updated.

(see debian thread)

I am not going to go looking for the Debian thread. If you want me to see it then provide a link. Otherwise state the problems you think apt-get will cause.

 

[tillo]

The vulnerability used to hack your system is probably the recent RoundCube one, but since you have a rootkit installed in the machine there is absolutely no meaning in trying to fix it. You will have to get the backup and do a fresh install.
Keep it constantly updated this time.

 

[floyd]

Guess you should secure your server then.

Fine ... when apt-get update will crash DA depencies ... (see debian thread)

And apt-get has nothing to do with securing your server. Apt-get can be used to update software but ultimately it is up to you to update vulnerable software whether apt-get can be used or not. DirectAdmin provides scripts to update the software it installs. You have to run these scripts when you want to update something.

 

[Netbone]

Out of jail

But how can a user become root?

On these server there where no (!) scripts or additional installs - only html pages.

So I am quite confused. If anybody is intrested in a copy I have full image of hdd, cause local police requested a copy (hacker located in switzerland. My first hacker I could catch. All others where mostly russian or chinese).

Anywhere - an insecure script should never result in a rootkit only in a damage of the webuser with insecure script I think.

We have already a running discussion in debian part of this forum if it is possible to run apt-get upgrade, cause normaly it should not touch DA installations, because they are custom built, when DA was installed from scratch.

I know that there is no way to restore a hacked server. Server is shut down and sites are copied to another server - but anyway thank you for the help.

 

[tillo]

To gain root access the cracker must have been used some local vulnerability after gaining a simple access, like I said it was probably RoundCube at first and then maybe the kernel, or anything else not updated.

I can help you professionally with this matter, I can probably tell you exactly which vulnerabilities have been exploited by this guy investigating on the image, so that it won't happen again.
You know, it's a nice coincidence: I live in switzerland too, and I've had once a problem like that. I work for the "good guys" since, offering my services against crackers I can tell from my experience that you can get a lot of money if you catch this guy...