Your backups are now ready

AndyII

AndyII

Verified User
Joined
Oct 3, 2006
Messages
566
this morning I got 3 emails sating that your backups are now ready, seeing I hadn't initiated any I went to see what was up, looks like DA did a backup on its own?..... This very new and never seen before , Should I be concerned?

Compiled on Redhat Enterprise 4.0
Server Version 1.32.2


Subject: Your backups are now ready Today at 05:13
Performing sanity checks: Completed
Checking load average: Completed
Checking free disk space: Completed
Performing Custom backup
Archiving /etc/exim.conf: Completed
Archiving /etc/exim.cert: Completed
Archiving /etc/exim.key: Completed
Archiving /etc/exim.pl: Completed
Archiving /etc/group: Completed
Archiving /etc/gshadow: Completed
Archiving /etc/hosts: Completed
Archiving /etc/httpd/conf/httpd.conf: Completed
Archiving /etc/httpd/conf/ips.conf: Completed
Archiving /etc/named.conf: Completed
Archiving /etc/passwd: Completed
Archiving /etc/proftpd.conf: Completed
Archiving /etc/proftpd.passwd: Completed
Archiving /etc/proftpd.vhosts.conf: Completed
Archiving /etc/resolv.conf: Completed
Archiving /etc/shadow: Completed
Archiving /etc/ssh/sshd_config: Completed
Archiving /etc/system_filter.exim: Completed
Archiving /usr/local/directadmin/conf/mysql.conf: Completed
Archiving /etc/mail: Completed
Archiving /etc/virtual: Completed
Archiving /usr/lib/apache: Completed
Archiving /usr/local: Completed
Archiving /usr/local/directadmin/data: Completed
Archiving /usr/local/frontpage: Completed
Archiving /usr/share/ssl: Completed
Archiving /var/log: Completed
Archiving /var/mail: Completed
Archiving /var/named: Completed
Archiving /var/spool/cron: Completed
Archiving /var/spool/mail: Completed
Archiving /usr/local/directadmin/data: Completed
Archiving /usr/local/frontpage: Completed
Archiving /usr/share/ssl: Completed
Archiving /var/log: Completed
Archiving /var/spool/virtual: Completed
Archiving /var/www: Completed
Performing cleanup operations: Completed
Completed
Archiving /var/mail: Completed
Archiving /var/named: Completed
Archiving /var/spool/cron: Completed
Archiving /var/spool/mail: Completed
Archiving /var/spool/virtual: Completed
Archiving /var/www: Completed
Performing cleanup operations: Completed
<br>
Click to expand...
 
Last edited:
I've never seen a backup like that. Do you own your own server or is it a Dedicated server from someone? If so, check with the supplier to see if they've set something up. And check your admin backup options to see if any of them are set.

Jeff
 
well I own the servers but they sit at a Data center .
I see nothing in the way of backup setup to run, comparing one server to another I see some hidden folders with the names ".mc" and ".ncftp" that had been changed on the same day as those backups were done, on a different server they hadn't changed since the install, they have "Midnight-Commander" in the notes in files, wondering if someone accessed them and did a backup to find the root password or change it because today I had to have the Data Center change root pass and I had a very long and secure password which no longer worked, so I am thinking someone found a way to access the server out side of shell and do a little hacking.
Nothing seem to be odd about the server, no other files were added, scan for root kits came up negative.
put a note in to the Data Center to see if they had anything to do with it, but I dont believe they did or otherwise they would have done all the servers?
I gonna assume someone got into the server to access some files, I have a couple digital stores and they are always a target to rip
need to find how exactly it was done and prevent it somehow.....

Found something not right, in the home directory, there is a user called "hesus" (meaning "lord or master")
they are not listed in DA's users only in root, in the folder are these files,
.bash_history
.bashrc
.bash_profile
.bash_logout
now I am sure someone got in took and changed /etc/passwd so root didnt require it and then got in root, found some info on how to do this on the net...
by downloading these files as shown in other post, changed /etc/passwd re uploaded it
but How exactly they did it, possibly through another site on the server
 
Last edited:
Anyone know what this means?
especially this part
wget "http://es.releases.ubuntu.com/8.10/ubuntu-8.10-rc-desktop-i386.iso"
I xed our IP and server name
Code: 
cat /proc/cpuinfo
free -m
clear
uname -a
ping srv1.xxxxxxxxx.xxx
clear
exit
ps -A
clear
cd ~
clear
telnet 127.0.0.1 8000
telnet 127.0.0.1 35600
clear
cd /etc/ssh
dir
vim sshd_config
clear
cat sshd_config
cat sshd_config | more
clear
cd ~
dir
ifconfig
ipconfig
clear
route
clear
uname -a
ping srv1.xxxxxx.xxx
ssh
ssh -b xxx.xxx.xxx.xxx2 -D 8889
ssh -b xxx.xxx.xxx.xxx -D 8889 [email protected]
clear
iptables
rkhunter
sudo
sudo cat
clear
bmon
clear
netstat -a
netstat -a | more
finger
exit
dir
finger
cat /etc/shadow
clear
dir
ls -a
cat .shadow
cd /etc
dir
netstat -a
bmon
clear
apt-get
clear
yum
clear
dir
cat proftpd.passwd 
cat proftpd.conf.back
cd /etc/root
cd /etc/ssh
dir
cat sshd_config
cat /etc/passwd | grep root
cat /etc/passwd | grep admin
su root
clear
cd /etc
dir
cat passwd-
ls -a
screen
clear
exit
cd /usr/
cd local
dir
cd directadmin/
dir
cat log
cd data
dir
cd admin
dir
ls
cd ..
dir
cd ..
mount
cd ?
cd /
dir
locate backup
cd mnt
dir
cat /etc/fstab
cd /
dir
dir
dir
cd /home
dir
cd admin
dir
cd admin_backups
dir
cd ..
cd user_backups
dir
ls -s
tar xzvf admin.tar.gz 
cd backup
dir
cd ..
dir
cd backup
ls -s
cat .shadow
cd ..
dir
rm -d -r backup
rm -d -r domains
cd ..
dir
mkdir backup
chmod -R 777 backup
dir
pwd
dir
cd backup
dir
cron
dir
cd ..
dir
cd ~
dir
cd /
dir
cd backup
dir
cd /home/admin
dir
cd backup
dir
dir
cd ..
chmod -R 777 backup
chown -R 777 backup
dir
cd backup
dir
cd ..
cd backup
dir
cd 10-24-08/
dir
chmod -R 777 10-24-08/
dir
chown
chown 777 10-24-08/
cd ..
dir
dir
rm -d -r backup
clear
exit
exit
nc
clear
nc -l -p 9000
nc -l -p 2223
nc -l -p8080
nc -l -p 8080
free -m
nc -vv -l -p 8080
netstat -a
nc -vv -l -p 110
nc -vv -l -p 900
nc -vv -l -p 1024
nc -vv -l -p 1023
nc -vv -l -p 1024
cd /etc
ls | grep release
cat redhat-release
free -=m
df -h
free -m
clear
chkconfig
iptables
cd /etc
dir
cd init.d/
dir
/etc/init.d/iptables stop
ps -A
ps -A | grep ip
killall ddos.sh
ps -a
clear
cd /bin
dir
cd /usr/bin
dir
cd /etc
cd netwo
cd /sbin
dir
/sbin/ifconfig
ping www.google.com
telnet
telnet www.google.com 80
clear
nc
bitchx
irssd
irc
cd /var
dir
cd lib
dir
cd mysql
dir
cat limo_charles
ls -l
cat root
dir
cat mysql
cd mysql
dir
ls
cd ..
ls -l
chown webkinz_WP221
chown 777 webkinz_WP221
ps -A
ls -l
cat mysql.sock 
cd test
dir
cd ..
cd ibdata1
dir
cat ibdata1
ls -l
cat srv1.xxxxxxxx.xxx.err
cd /home
dir
echo *
echo 
echo ls
ls |
wget
clear
cd ~
dir
util-linux
locate util
wget "http://es.releases.ubuntu.com/8.10/ubuntu-8.10-rc-desktop-i386.iso"
axel
dir
rm -d -r ubuntu-8.10-rc-desktop-i386.iso 
clear
date
dir
cd backup
dir
vim index.htm
echo "1" > index.htm
cat index.htm
/sbin/vim
/bin/vim
/bin/vi
pwd
/bin/vi phps.php
/bin/vi config.php
/bin/vi style.css
uid
id
dir
rm *.php
dir
rm *.css
rm *htm
dir
dir
/sbin/vi write.php
/bin/vi write.php
chmod 777 write.php
su root
exit
 
Ok there are good news and bad news:
Bad news : your server was hacked. great news -I also saw some activity from Ubuntu m***f, although server is on the Fedora8.also, I like this part "killall ddos.sh" DDoS ? likely your server doesn't belong to you anymore.
Good news: according script you pasted - that was a retarded student (so called "script kiddy").

Why does it happen? I can give few ideas, but ... I don't think that there are anyone on this forum who could fix the problem (no offence), the easiest way is to wipe your installation, install apf and pray.
 
Last edited:
AndyII said:
need to find how exactly it was done and prevent it somehow.....
Click to expand...
Generally the problem is a hack through an insecure script somewhere on the server. Generally it's impossible to tell exactly what was done; these guys can install kernel modules, even whole kernels, which hide whatever they do.
but How exactly they did it, possibly through another site on the server
Click to expand...
You'll probably never know.

Jeff
 
well the good news is they dont "own" the server, was checked by trusted person, removed crap, no root kits were found but they are persistent in trying, they gave me a day before trying again.
I am using KISS so I added them to the block list but seems they come back with new IP and try again, I'm on top of it but its a pain, too bad KISS didnt have the ability to "auto ban" after X attempts , unless there is another way.
Thanks to all that offer assistance :rolleyes:
 
Last edited:
You must log in or register to reply here.
Back
Top