domain logs

If you look in the files you will see they have old data. Unless you have a custom log rotate that cleans them they should contain the data that you need.

Check for a .rotate folder in there it may have created a tar backup of older dates for you.
 
I guess they are setup to rotate logs now it never used to do that before ... This is why I use daily backups :)
 
well the thing is why I'm asking this.
someone has placed a cronjob, probably a hack, but its not listed in DA. now I can't delete it cause I dont know where its placed.
so every minute I get a mail from this cron.
how can I stop this or find where its placed.
 
Check

/etc/crontab
/etc/cron.d (folder)

Command:

crontab -u username -l


Cron Logfile:

/var/log/cron

The logfile will give the path to where its being run from.
 
I applied it but this is what I get:

user root has no cron tab
logfile says user root is trying to execute chown each minute
 
Well it should give a location to the program attempting to do that...

You can search for files with world executable permissions with the following command:

find / -perm 777
 
The command that's being runned is chown.

But I cannot find from where it is called, this is the logline

Jul 17 16:25:01 ourname crond[5069]: (root) CMD ( chown root:root /home/scripts/domains/somedomain.com/public_html/templates_c/sploit && chmod 4755 /home/scripts/domains/somedomain.com/public_html/templates_c/sploit && rm -rf /etc/cron.d/core && kill -USR1 11646)
Click to expand...

I removed the sploit file already and tightend the rights on the directory.
But this job keeps running each minute
 
Last edited:
Well thats good info right there. Did you read the sploit file to determine what it contained. Best not to delete it until you know what commands were run.

Looks like they tried to put the crontab here

/etc/cron.d/core

Look for this file on your system.
 
The sploit file was removed immediatley without further notice to prevent damage to the data on the server.

Although there is no file at
/etc/cron.d/core

there is one at
/etc/cron.d/core.11647
though

But even if I rename it and restart the cron daemon the log keeps filling with the same line I posted in the quote

[edit]
I found an article which contains some of the contents of the core.11647 file at
http://www.milw0rm.com/exploits/2005
[/edit]
 
Last edited:
Its probably infected quite deeper now. Without that sploit file you will have no idea which commands they executed or what they infected.

I guess wait for more to post for ideas they have or have your isp look at it to fix it.
 
Our ISP is looking at it right now, but still I am dazzled that someone could upload a file to a folder with 777 rights and add something under the root account

What I mean is that I'm confused about what the origin of this leak could be, since the web account is not the same as root...
 
You must log in or register to reply here.
Back
Top