Server hacked by bot?

N

nhwebgroup

Verified User
Joined
Aug 8, 2005
Messages
24
Location
nh
I belive my server was hijacked by and IRC bot...

lots of CRON messages like this:

Nov 6 09:09:00 web1 /usr/sbin/cron[21215]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
Nov 6 09:10:00 web1 /usr/sbin/cron[21260]: (root) CMD (/usr/local/directadmin/dataskq)
Nov 6 09:10:00 web1 /usr/sbin/cron[21261]: (root) CMD (/usr/libexec/atrun)
Nov 6 09:10:00 web1 /usr/sbin/cron[21262]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
Nov 6 09:11:00 web1 /usr/sbin/cron[21288]: (root) CMD (/usr/local/directadmin/dataskq)
Nov 6 09:11:00 web1 /usr/sbin/cron[21289]: (operator) CMD (/usr/libexec/save-entropy)
Nov 6 09:11:00 web1 /usr/sbin/cron[21290]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)


When i "locate .psy" there are MANY places on the server where this folder shows up

Also i ran the "check root kit" and it told me that bind was compromized on prot 5190..

have you seen this? what tod to fix?

Tim
 
Your Freebsd box has had psybnc installed and you need to clean shop. It was probably installed via an insecure script running in a users webspace or one of your users has installed it. While the box is not rooted you should really get this cleaned out. You may want to check the /tmp directory to make sure its not installed there. And you will probably want to search for all hidden directories as many times its installed into a hidden directory on the box.

But the best course of action is to make sure the box is secured to start with.
 
You must log in or register to reply here.
Back
Top