Man, #1 chill out.
#2 upgradeaza IMEDIAT tot ce tine de ssh/ssl #3 opreste ftp-ul #4 vezi pe ce porturi asculta rootkitul daca s-a instalat asa ceva si taie din firewall conexiunile spre acele porturi vezi www.chkrootkit.org http://freshmeat.net/redir/chkrootkit/20715/url_tgz/chkrootkit.tar.gz rapid poti incerca updatedb ; locate adore #5 daca nu te descurci ma over sa te ajut remote si/sau sa iti fac un cont de upload al fisierelor tale importante la mine. On Fri, 2003-02-21 at 03:51, Laurentiu STEFAN wrote: > > UN HAKER mi-a intrat in server. > Cand am vazut (banuit) ca e cineva i-am dat reboot. > Nu imi mai mergea httpd-ul, squid-ul, samba si draq mai stie ce nu mai merge. > Vreau sa refac sa mearga doar squid-ul, samba si iptraf-ul pt. moment > > Am obesrvat ca in /var/log sunt foarte putine fisiere. > > HELP HELP HELP!!! > > Daca poate rog pe cineva sa imi faca un cont de FTP cu configuratiile necesare sa le >copii si eu in al meu. > Sau sa imi spuneti comenzile pe care sa le dau. > Sa reistalez din nou nu este o obtiune in acest moment. > > La httpd la restart imi dadea eroarea: > [root@....]# service httpd start > Starting httpd: fopen: No such file or directory > httpd: could not open error log file /var/log/httpd/error_log. > [FAILED] > > Am facut in /var/log directorul httpd. > I-am dat drepturi pentru apache si tot nu merge. > Cred ca trebie sa mai fac vre-un director. > > Acuma in /var/log/httpd/error_log > [Fri Feb 21 02:38:24 2003] [notice] Apache/1.3.20 (Unix) (Red-Hat/Linux) >mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 configured -- >resuming normal operations > [Fri Feb 21 02:38:24 2003] [notice] suEXEC mechanism enabled (wrapper: >/usr/sbin/suexec) > > ES! La Squid mi-a mers sa ii refac log-ul la httpd nu stiu ce are > > DACA POATE CINEVA SA MA AJUTE II RAMAN DATOR!!! > > - sa refac httpd/apache-ul (sau sa instalez alt server web) > - sa reconfigurez firewall-ul sa las doar serviciile utile deschise din exterior - >etho (DNS, Mail, WWW) si din interior, sshd, ftp, squid, samba, mail, www, dns - eth1 > - pt. iptraf cred ca il voi reinstala. > > ============================== > > root 1203 0.0 0.2 2140 316 ? SN 00:59 0:00 //bin/sh > root 1895 0.0 0.2 1476 332 ? SN 01:05 0:00 /sbin/syslogd -m 0 > root 1899 0.0 0.0 2264 4 ? SN 01:05 0:00 /usr/sbin/xinetd >-reuse > root 2361 0.1 1.0 3468 1244 ? S 01:08 0:00 /usr/sbin/sshd > root 2364 0.0 1.0 2452 1256 pts/0 S 01:08 0:00 -bash > root 2833 0.0 0.8 2188 968 ? SN 01:13 0:00 ftp ftp.polarhome.com > > ftp ftp.polarhome.com - nu este data de mine > //bin/sh ??? > /usr/sbin/sshd ??? > syslogd ??? > > Mesaj de la syslogd@Perlea > perlea > > > Dupa ceva timp am mai dat ps -aux > root 2921 0.0 0.8 2304 1060 ? SN 01:17 0:00 ftp ftp.netfirms.com > > Pe iptraf ce imi apare ciudat este: > ip28-43-171-209.toro1.na.psigh.com:64572 > 218 324244 CLOSED eth0 > Perlea.Ro:1139 > 202 10504 CLOSED eth0 > > Perlea.Ro:ftp > 54 2491 --A- eth0 > 202.65.134.210:40391 > 53 2124 -PA- eth0 > > > ==================================================================== > > Configuratia mea de firewall: > > echo "Inceput configurare firewall" > # > /sbin/ipchains -A input -s 0/0 -d 193.231.113.125 53 -p udp -i eth0 -j ACCEPT > /sbin/ipchains -A input -s 0/0 -d 193.231.113.125 53 -p tcp -i eth0 -j ACCEPT > /sbin/ipchains -A output -d 0/0 -s 193.231.113.125 53 -p udp -i eth0 -j ACCEPT > /sbin/ipchains -A output -d 0/0 -s 193.231.113.125 53 -p tcp -i eth0 -j ACCEPT > /sbin/ipchains -A input -s 0/0 -d 0/0 53 -p tcp -i eth0 -j ACCEPT > /sbin/ipchains -A input -s 0/0 -d 0/0 22 -p tcp -i eth0 -j ACCEPT > /sbin/ipchains -A input -s 0/0 -d 0/0 21 -p tcp -i eth0 -j ACCEPT > # > /sbin/ipchains -A output -d 0/0 -s 193.231.113.125 80 -p tcp -i eth0 -j ACCEPT > /sbin/ipchains -A input -s 0/0 -d 193.231.113.125 80 -p tcp -i eth0 -j ACCEPT > # > /sbin/ipchains -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT > /sbin/ipchains -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT > # > /sbin/ipchains -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT > /sbin/ipchains -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT > # > /sbin/ipchains -A input -s 0/0 -d 0/0 -i lo -j ACCEPT > /sbin/ipchains -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT > # > /sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 6666:7000 -i eth0 -j REJECT > /sbin/ipchains -A output -p tcp -d 0/0 -s 0/0 6666:7000 -i eth0 -j REJECT > # > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 8081 -i eth0 -j REJECT > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 8081 -i eth0 -j REJECT > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 2000 -i eth0 -j REJECT > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 2000 -i eth0 -j REJECT > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 4000 -i eth0 -j REJECT > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 4000 -i eth0 -j REJECT > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 443 -i eth0 -j REJECT > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 443 -i eth0 -j REJECT > # > /sbin/ipchains -A input -p tcp -s 192.168.2.0/24 -d 0/0 6666:7000 -i eth0 -j REJECT > #/sbin/ipchains -A output -p tcp -d 192.168.2.0/24 -s 0/0 6666:6670 -i eth0 -j REJECT > # > #/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 8080 -i eth0 -j REJECT > #/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 1139 -i eth0 -j REJECT > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 21 -i eth0 -j REJECT > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 22 -i eth0 -j REJECT > #/sbin/ipchains -A output -p tcp -s 0/0 -d 193.231.113.125 8080 -i eth0 -j REJECT > # > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -j REJECT > #/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT > #/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -j REJECT > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -j REJECT > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 1139 -j REJECT > # > echo "Forward Start" > echo "1" > /proc/sys/net/ipv4/ip_forward > /sbin/ipchains -A forward -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT > /sbin/ipchains -A forward -s 193.231.113.0/24 -d 0/0 -j ACCEPT > #/sbin/ipchains -A forward -s 192.168.2.0/24 -d 0/0 -j MASQ > > echo "Masqarading CCPIL IP's" > #Centrul Creatiei > /sbin/ipchains -A forward -s 192.168.2.127/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.150/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.155/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.157/255.255.255.255 -d 0/0 -j MASQ > > echo "Masqarading CCUIP IP's" > #Centrul Cultural > /sbin/ipchains -A forward -s 192.168.2.56/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.100/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.110/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.156/255.255.255.255 -d 0/0 -j MASQ > > echo "Masqarading DPCCPN IP's" > #Inspectorat > /sbin/ipchains -A forward -s 192.168.2.32/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.163/255.255.255.255 -d 0/0 -j MASQ > > echo "Masqarading BJI IP's" > #BJI > /sbin/ipchains -A forward -s 192.168.2.43/255.255.255.255 -d 0/0 -j MASQ > /sbin/ipchains -A forward -s 192.168.2.222/255.255.255.255 -d 0/0 -j MASQ > echo "Sfarsit configurare firewall" > > -- > Pentru dezabonare, trimiteti mail la > [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. > REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > > -- I/O error while opening .signature file -- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
