Help! Server HACKED BY kaMtiEz

H

HostYim

Verified User
Joined
Mar 12, 2011
Messages
10
My server has been Hacked.

1.Every users index.php/index.html files changes to
"HACKED BY kaMtiEz - INDONESIANCODER TEAM @2010"

2.Directory /var/log/* has been removed from the system
Therefore, some service couldn't start ... exim, dovecot

3.I get these error when trying to create new users from DA

"Error Creating User testing

Details
Error creating User: useradd: unknown group testing
Cannot find a home directory after the system user creation for testing
The home directory for testing was not created."

And I found out that "groupadd" command also not working
(eg. when type groupadd username, followings user doesn't appear in /etc/group)

Could you please helped me how to solve these problem.
for no.1 I already restore all users files to the recent backup.
no.2 I have create directory of httpd, mysql, and other service I can think of

But, no.3 still can't find any solution
 
Since you don't know what they really did, you might be better off putting a clean system on and restoring from backup. If you don't there is the possibility they have a backdoor to your server. I would also look at tightening up any security issues you might have. Look at the php and/or perl scripts running, it is possible they used one of those to get access.
 
toml said:
Since you don't know what they really did, you might be better off putting a clean system on and restoring from backup. If you don't there is the possibility they have a backdoor to your server. I would also look at tightening up any security issues you might have. Look at the php and/or perl scripts running, it is possible they used one of those to get access.
Click to expand...

Actually, I decide to reinstall OS and everythings, then restore users from backup.

but many users still on server

So, at least I need to get it work first.
 
HostYim said:
Actually, I decide to reinstall OS and everythings, then restore users from backup.

but many users still on server

So, at least I need to get it work first.
Click to expand...

It's close to impossible to get it to work; it probably has had lots of programs replaced with hacked versions. There are probably some booby-traps installed which could delete everything if you tried to use certain common commands; it all depends on how malicious the hackers may be.

But I suppose you could find on the 'net and install chkrootkit and see what it tells you.

Jef
 
jlasman said:
It's close to impossible to get it to work; it probably has had lots of programs replaced with hacked versions. There are probably some booby-traps installed which could delete everything if you tried to use certain common commands; it all depends on how malicious the hackers may be.

But I suppose you could find on the 'net and install chkrootkit and see what it tells you.

Jef
Click to expand...

Hi Jef,

Yes, i've checked out those "Chkrootkit" and the results was ok.

Now, my groupadd worked. As /etc/login.defs files has been removed from the system. So, I copied it from another machine.

Regards,
Bright
 
As long as you realize that someone may have a backdoor on your server. Certain kernel hacks can't be found.

Jeff
 
You must log in or register to reply here.
Back
Top