On Tue, 31 Jul 2007 18:32:12 +0200 Eddy Belew <[EMAIL PROTECTED]> wrote: >I should know better. Former employee loaded and configured this >system...
>Running RHL 9 (very old, I know) using cPanel as a web server/nameserver... >Rootkit Hunter 1.2.9 is running.. One website on it had/has been >hacked. Running a deprecated distribution, putting a webserver on a nameserver, email that doesn't get tended to, a website getting compromised... steep learning curve I'd say if you're not really into GNU/Linux. >Strange things happen with email users. Email might stop >altogether, or some >can't send mail and get an error 500 because of dictionary attack. >Solution >always seems to be reboot system. Solves everything for a day or >two and >then back, so I just restart the server every morning. >Everytime I restart the system I get emails stating httpd, ftpd, >and cpsrvd >on the system failed. Although all sites and ftp seems to be >working. Sorry to say but restarting a server does only address the symptoms, not the cause. It won't go away unless you deal with it, decisively. >I do have a new suse 10 server box (with subscription) loaded but >not online >to move things over once I figure out/learn how. I just want to >make sure I >don't transfer anything bad to the new system. So backup and >reload may be >the only option. >One email contains: > >Running updater... Next time please attach instead of pasting it in the email body. Makes it easier to read. Also for Rootkit Hunter please attach the *logfile* not the cronjob or stdout output. Pieces I picked from the output: Rootkit Hunter 1.2.9 is running /bin/dmesg [ BAD ] /bin/kill [ BAD ] /bin/login [ BAD ] /bin/mount [ BAD ] We've talked about these. I gave you a CERT URI. Please read first. Then investigate. * Trojan specific characteristics shv4 * Suspicious file properties chmod properties Scanning for hidden files... [ Warning! ] --------------- /etc/.pwd.lock /etc/.whostmgrft /etc/.java --------------- Please inspect: /etc/.java (directory) Looking at the name alone all three seem valid. However you should still verify package contents. If the files don't belong to any package then save file information (stat, file, MD5sum) and perform visual inspection. Application advisories * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config Hint: See logfile for more information about this issue See the logfile. Change RootLogin value in/etc/ssh/sshd_config. Do not ask how: read the FAQ. >Another email contains: > >Security Violations (..) >Unusual System Events Logcheck. Nothing I see at first glance that's a #1 priority. >And yet another email contains: (..) >/usr/lib/php/.channels/.alias INFECTED (PORTS: 465) > >You have 20 process hidden for ps command > >chkproc: Warning: Possible LKM Trojan installed The tty of the >following >user process(es) were not found in /var/run/utmp ! Chkrootkit. Hidden processes may be false positives (see the Chkrootkit FAQ). Repeat. Getty's not found in /var/run/utmp is also a valid situation if the getty's can be validated as known-good files. Please please please read the first CERT URI I gave you and inspect the box using it as a checklist. TIA, unSpawn -- Save hundreds on a Study Abroad Program - Click here. http://tagline.hushmail.com/fc/Ioyw6h4dFF9dMjcQqEtVSBz8MAlo7smCLGlBnXHn6L72MBhzv3Oh3a/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
