My Server was Crack
- Thread starter wm20472
- Start date
Tkz, I have install ClamAV & ARF to my server
Police to give me notice that my server to be affected by Hacker (Botnet Comond and Control Center)
Need I re-install my server ? or
Can cover this problem after install ClamAV & ARF?
Moveover, any software I need install to protect my server? (e.g. Mailscanner...)
Pls Help ,Tkz
Police to give me notice that my server to be affected by Hacker (Botnet Comond and Control Center)
Need I re-install my server ? or
Can cover this problem after install ClamAV & ARF?
Moveover, any software I need install to protect my server? (e.g. Mailscanner...)
Pls Help ,Tkz
APF Setting as following:
IG_TCP_CPORTS(incoming)="21,22,25,53,80,110,143,443,2222"
IG_UDP_CPORTS="53"
EGF=”1〃
EG_TCP_CPORTS(outgoing)="21,22,25,37,43,53,80,443"
EG_UDP_CPORTS="53"
Now scanning as following:
[root@localhost /]# nmap -sT localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-07-20 17:58 HKT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
587/tcp open submission
631/tcp open ipp
953/tcp open rndc
3306/tcp open mysql
[root@localhost /]# nmap -sU localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-07-20 17:59 HKT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1471 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
53/udp open|filtered domain
111/udp open|filtered rpcbind
123/udp open|filtered ntp
631/udp open|filtered unknown
852/udp open|filtered unknown
32768/udp open|filtered omad
32777/udp open|filtered sometimes-rpc18
[root@localhost /]# nmap -sO localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-07-20 18:00 HKT
Interesting protocols on localhost.localdomain (127.0.0.1):
(The 250 protocols scanned but not shown below are in state: closed)
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open tcp
17 open udp
41 open|filtered ipv6
255 open|filtered unknown
IG_TCP_CPORTS(incoming)="21,22,25,53,80,110,143,443,2222"
IG_UDP_CPORTS="53"
EGF=”1〃
EG_TCP_CPORTS(outgoing)="21,22,25,37,43,53,80,443"
EG_UDP_CPORTS="53"
Now scanning as following:
[root@localhost /]# nmap -sT localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-07-20 17:58 HKT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
587/tcp open submission
631/tcp open ipp
953/tcp open rndc
3306/tcp open mysql
[root@localhost /]# nmap -sU localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-07-20 17:59 HKT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1471 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
53/udp open|filtered domain
111/udp open|filtered rpcbind
123/udp open|filtered ntp
631/udp open|filtered unknown
852/udp open|filtered unknown
32768/udp open|filtered omad
32777/udp open|filtered sometimes-rpc18
[root@localhost /]# nmap -sO localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-07-20 18:00 HKT
Interesting protocols on localhost.localdomain (127.0.0.1):
(The 250 protocols scanned but not shown below are in state: closed)
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open tcp
17 open udp
41 open|filtered ipv6
255 open|filtered unknown
nobaloney
NoBaloney Internet Svcs - In Memoriam †
If I understand correctly your server has been hacked and is being used to create botnets of servers. I'd want to reinstall it before the police call again, and next time want your machine to use as evidence.
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Back up all your domains, and completely reinstall DirectAdmin.
Don't restore any of the domains until you've checked them to make sure they're not the source of the hack.
Jeff
Don't restore any of the domains until you've checked them to make sure they're not the source of the hack.
Jeff