This is a real server,

Michael

Bob Hutchinson wrote:
On Tuesday 26 February 2008 07:55, Michael Christie wrote:
Hi there bill,

Here is a copy of the cron log, the cron was running every 2 minuets  ,
the file was chown www:www , i have had a look in my groups and
passwords it looks like there are no new users or root users  been made
there. I removed the cron and also removed the file y2kupdate, Google
has not much about the file or what it dose , i just know i have been
hacked. if you have any idea what this hack is and how to make sure it
is cleaned off please advise

Hope this helps

First of all you can prevent www running a cron again, how depends on your system, have a look at
man crontab
for further details, possibly /etc/cron.allow or /etc/cron.deny

Next you need to look at the permissions of directories under vegadns, what is .system? Not part of a regular vegadns install.

You can protect your vegadns with .htaccess and you should certainly change all the passwords.

Please tell us more, is this a 'real' server or a virtual server?

Feb 26 13:01:00 nemo /usr/sbin/cron[98198]: (www) CMD
(/usr/local/www/data-dist/vegadns/.system/samseng/y2kupdate >/dev/null
2>&1)

Bill Shupp wrote:
On Feb 25, 2008, at 3:03 AM, Michael Christie wrote:
Hi all just letting you all know that i had vega dns version 0.9.9.1
hacked on me. the attacker installed a file in the /src dir and some
how set up a cron to run the script it was some kind of spam email hack.
Now i am back to hand coding the data file until i can work out how
to lock it down more.
Micheal,

Please provide as many details as you can.

Thanks,

Bill

Reply via email to