01-16-2013
@jmanel. Thank you very much for your nice guide.
Is there any possibility I can secure my VPS server without re-install ? Since it has many webhost domain in it and each has huge database for more than 5 years.
You are right, using RKHunter has no effect at all, except just giving any vulnerabilities information.
Today, I was trying again to clean my server from any malicious IRC script, such as:
- Closing port (113,6667,7000)
- Trace process and kill it
- Remove the IRC script files
- Lock any user account that has been compromised, also change my root password
- Give no shell access to all accounts, only root & mysql have /bin/bash
- Scan multiple times with RKHunter and ClamAV to make sure there's no left over malicious files & security hole
- Restrict SSH access to only from spesific IP Address and also disable Authentication Key
- Chmod all domain host directory to 700, set subdirectory to be 755, and only images folder has 777 file permissions. Other files only has 644 file permission.
- Update Centos 5 with yum, almost every day.
I did that procedures above all day long, but after several hours later, in my /root there appears again malicious IRC files with uid and gid 1000. It really makes me pain .. how can the attacker enter my server. I guess he did "rooting" my server.
Did the attacker exploit the /tmp or /dev. I dont know.
Please anyone, whoever expert in Linux security help me on this case.
Thank you.
9 More Discussions You Might Find Interesting
1. IP Networking
/* Linux Slackware */
looking in my logs I see tons of entries similar to below. Does anyone know what these mean, and should I be concerned. I looked up a few of the IP's at Arin.net and saw that many of them belong to isp's (not good).. Any information is helpful..
Body of Messages log... (1 Reply)
Discussion started by: LowOrderBit
1 Replies
2. Solaris
Hello!
I have a Linux nfs server (called server100 below) with a export nfs. My problem is that the Solaris client (called client100 below) doesn't seems to like it. In the Solaris syslog I got following messages (and after a while the solaris client behave liked its hanged/to buzy). Also see... (3 Replies)
Discussion started by: sap4ever
3 Replies
3. Windows & DOS: Issues & Discussions
Hi All,
I need your expertise in finding a way to solve my problem.Please excuse if this is not the right forum to ask this question and guide me to the correct forum,if possible.
I am a DBA and on a daily basis i have to ftp huge dump files from my company server to my laptop and then... (3 Replies)
Discussion started by: kunwar
3 Replies
4. Shell Programming and Scripting
Dear Friends,
Sorry for this basic request. But I just started learning Ksh recently and still I am a newbie in this field.
Q: I have files on one server and the date format is 20121001000009_224625.in which has year (yyyy) month (mm) and date (dd). I have these files on server A. The task... (8 Replies)
Discussion started by: BrownBob
8 Replies
5. Shell Programming and Scripting
I need to connect to a ftp server-1 from linux server-2 and copy/get a file from server-1 which follows a name pattern of FILENAME* (located on the root directory) and copy on a directory on server-2. Later, I have to use this file for ETL loading... For this I tried using as below
/usr/bin/ftp... (8 Replies)
Discussion started by: dhruuv369
8 Replies
6. Shell Programming and Scripting
Hi ,
Is there any script to copy a files (weblogic bianary + silent.xml ) from one server (linux) to another servers and then execute the copy file.
We want to copy a file on multiple servers and run the installation.
Thanks (1 Reply)
Discussion started by: Nawrajesh
1 Replies
7. UNIX for Dummies Questions & Answers
I have 3 servers A, B, C and server B is having some files in /u01/soa/ directory, these files i want to copy to server C, and i want to run the script from server A.
Script(Server A) --> Files at Server B (Source server) --> Copy the files to Server C(Target Server).
We dont have RSA key... (4 Replies)
Discussion started by: kiran_j
4 Replies
8. Solaris
Hi,
I am trying to automate the process of fetching files from remote server to local server through sftp. I have the username and password for the remote solaris server. But I need to give password manually everytime i run the script.
Can anyone help me in automating the script such that it... (3 Replies)
Discussion started by: ssk250
3 Replies
9. UNIX for Dummies Questions & Answers
Hi everyone,
I hope I am posting in the right spot and I really need some help. I am going through a horrible divorce and I am afraid that my husband has compromised . He set up my mac computer and router and for my job set up remote access for me. I caught him cheating on me and I think he... (6 Replies)
Discussion started by: kk243665
6 Replies
LEARN ABOUT DEBIAN
expect_passmass
PASSMASS(1) General Commands Manual PASSMASS(1)
NAME
passmass - change password on multiple machines
SYNOPSIS
passmass [ host1 host2 host3 ... ]
INTRODUCTION
Passmass changes a password on multiple machines. If you have accounts on several machines that do not share password databases, Passmass
can help you keep them all in sync. This, in turn, will make it easier to change them more frequently.
When Passmass runs, it asks you for the old and new passwords. (If you are changing root passwords and have equivalencing, the old pass-
word is not used and may be omitted.)
Passmass understands the "usual" conventions. Additional arguments may be used for tuning. They affect all hosts which follow until
another argument overrides it. For example, if you are known as "libes" on host1 and host2, but "don" on host3, you would say:
passmass host1 host2 -user don host3
Arguments are:
-user
User whose password will be changed. By default, the current user is used.
-rlogin
Use rlogin to access host. (default)
-slogin
Use slogin to access host.
-ssh
Use ssh to access host.
-telnet
Use telnet to access host.
-program
Next argument is a program to run to set the password. Default is "passwd". Other common choices are "yppasswd" and "set
passwd" (e.g., VMS hosts). A program name such as "password fred" can be used to create entries for new accounts (when run as
root).
-prompt
Next argument is a prompt suffix pattern. This allows the script to know when the shell is prompting. The default is "# " for
root and "% " for non-root accounts.
-timeout
Next argument is the number of seconds to wait for responses. Default is 30 but some systems can be much slower logging in.
-su
Next argument is 1 or 0. If 1, you are additionally prompted for a root password which is used to su after logging in. root's
password is changed rather than the user's. This is useful for hosts which do not allow root to log in.
HOW TO USE
The best way to run Passmass is to put the command in a one-line shell script or alias. Whenever you get a new account on a new machine,
add the appropriate arguments to the command. Then run it whenever you want to change your passwords on all the hosts.
CAVEATS
Using the same password on multiple hosts carries risks. In particular, if the password can be stolen, then all of your accounts are at
risk. Thus, you should not use Passmass in situations where your password is visible, such as across a network which hackers are known to
eavesdrop.
On the other hand, if you have enough accounts with different passwords, you may end up writing them down somewhere - and that can be a
security problem. Funny story: my college roommate had an 11"x13" piece of paper on which he had listed accounts and passwords all across
the Internet. This was several years worth of careful work and he carried it with him everywhere he went. Well one day, he forgot to
remove it from his jeans, and we found a perfectly blank sheet of paper when we took out the wash the following day!
SEE ALSO
"Exploring Expect: A Tcl-Based Toolkit for Automating Interactive Programs" by Don Libes, O'Reilly and Associates, January 1995.
AUTHOR
Don Libes, National Institute of Standards and Technology
7 October 1993 PASSMASS(1)