DA server got hacked

piwener · Feb 17, 2009

I have few DA servers. 2 of them got hacked today.

Someone uploaded r57 script (I don't know how they did).
Then ran some advanced scripts, killed httpd and started a process connect to their IP (217.168.95.245:7000 and 193.109.122.67:6660)

Have a look at these commands
Please help me what to do now!!!!

I can't find where `bash` and `top` they started

This is `netstat -natp`

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      1471/imap-login     
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      25411/pop3-login    
tcp        0      0 0.0.0.0:31337               0.0.0.0:*                   LISTEN      2379/top            
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      2537/mysqld         
tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN      2582/exim           
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      25411/pop3-login    
tcp        0      0 0.0.0.0:2222                0.0.0.0:*                   LISTEN      2558/directadmin    
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      1471/imap-login     
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2274/portmap        
tcp        0      0 203.211.144.56:80           210.24.193.10:47226         SYN_RECV    -                   
tcp        0      0 0.0.0.0:785                 0.0.0.0:*                   LISTEN      2299/rpc.statd      
tcp        0      0 0.0.0.0:5555                0.0.0.0:*                   LISTEN      1929/bash           
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2613/proftpd: (acce 
tcp        0      0 10.0.0.56:53                0.0.0.0:*                   LISTEN      2795/named          
tcp        0      0 203.211.144.56:53           0.0.0.0:*                   LISTEN      2795/named          
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      2795/named          
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      2795/named          
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2582/exim           
tcp        0      0 203.211.144.56:38192        217.168.95.245:7000         ESTABLISHED 2379/top            
tcp        0      0 203.211.144.56:39719        193.109.122.67:6660         ESTABLISHED 1929/bash           
tcp        0      0 :::80                       :::*                        LISTEN      2379/top            
tcp        0      0 :::443                      :::*                        LISTEN      2379/top

This is `ps -ef`

Code:

UID        PID  PPID  C STIME TTY          TIME CMD
...
apache    1929     1  0 Feb15 ?        00:00:00 bash
apache    2379     1  0 Feb15 ?        00:00:02 top
root      2445     1  0  2008 ?        00:00:54 /usr/sbin/sshd
nobody   27745  2558  0 12:10 ?        00:00:00 /usr/local/directadmin/directadmin d
...

smtalk · Feb 17, 2009

http://help.directadmin.com/item.php?id=247 #2

DA server got hacked

piwener

New member

smtalk

Administrator