Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Server has been compromised
Special Forums Cybersecurity Server has been compromised Post 302756861 by Corona688 on Wednesday 16th of January 2013 03:26:55 PM
Old 01-16-2013
Quote:
Originally Posted by franx47
@ Neo
Yes, I come here to look for easy way for quick response.

I have got your answer, you suggest me to use that tripwire to secure my /tmp. But, that's just a long term action, I need "short quick response actions" for this. Anything like blocking port 6667 & 7000 effectively, prevent IRC script from running, etc.
Do you understand that your server has been deeply compromised?

Do you understand that, if you've been rooted, you cannot trust the operating system anymore?

Do you understand that this may be why the quick fixes you've tried have had no effect? And even the sophisticated ones.

If you cannot trust this system to do what you tell it to, you cannot trust any of the quick fixes.
Quote:
# If it's about SQL injection attack, when someone got the credential login like Cpanel/FTP or Admin login, what can he do other than just playing around with C99/R57 shell??
They don't need gcc to upload C commands, just somewhere to write files and chmod.
Quote:
# If he playing with C99/R57 shell, how can he runs exploit coded in C, where GCC is disabled for user?
He doesn't need your compiler, he can use his own, and just upload the binary. All he needs is a way to set it executable.

If you deny him chmod, he can still just cp /bin/sh /path/to/my/executable ; cat my_binary_code > /path/to/my/executable.
Quote:
# If he runs exploit not coded in C, but coded in Perl, then successfully rooting my server, then I think this is a big security hole in Centos 5!
Perl, a C/C++ program, is neither more secure, nor less secure, than C/C++ itself. In any case it's not the language that grants things permissions to do things, it's the operating system itself.

Locking them to a specific language is not security. Denying them the permissions they need to do anything untoward in any language is security.
Quote:
If there's no satisfy answers from ppl in this forum, I think this will be my last post. I'm tired. I think I'm just asking for simple question, but none answered my question at all.
There is no rubber chicken we can wave that will make your infestation go away. If you haven't been rooted, you might be able to hunt down the files with find /tmp/ and picking through them by hand. It is vital for finding and dealing with filenames that cannot be typed in the terminal, since you can refer to files by inode.

Check /proc/pid/ for the rogue processes in question. If they don't show at all, you've been rooted. If they do, /proc/pid/fd might reveal what files they're running from.

There might be a firewall rule to drop those outgoing ports, but how to do so depends on what your firewall is already and what your network setup is.

And if you have been rooted, then your OS itself, the thing which you're using to try and track down and fight this problem, is the thing that's been infected. Catch-22.
Quote:
Wonder if in this big UNIX forum, no one ever dealt with IRC botnet. Huft..
Many of us have. This is how we know it's not as easy as you'd like. You know the saying, an ounce of prevention is worth a pound of cure?

You say you have no backups, too. This may be a good time to back up your customer data, but check it carefully when you restore.
Last edited by Corona688; 01-16-2013 at 04:34 PM..
These 2 Users Gave Thanks to Corona688 For This Post:
Scott Yoda
 

9 More Discussions You Might Find Interesting

1. IP Networking

in.telnetd[5115] -- compromised?

/* Linux Slackware */ looking in my logs I see tons of entries similar to below. Does anyone know what these mean, and should I be concerned. I looked up a few of the IP's at Arin.net and saw that many of them belong to isp's (not good).. Any information is helpful.. Body of Messages log... (1 Reply)
Discussion started by: LowOrderBit
1 Replies

2. Solaris

NFS write failed for server.....error 11 (RPC: Server can't decode arguments)

Hello! I have a Linux nfs server (called server100 below) with a export nfs. My problem is that the Solaris client (called client100 below) doesn't seems to like it. In the Solaris syslog I got following messages (and after a while the solaris client behave liked its hanged/to buzy). Also see... (3 Replies)
Discussion started by: sap4ever
3 Replies

3. Windows & DOS: Issues & Discussions

Office server => laptop =>client server ...a lengthy and laborious ftp procedure

Hi All, I need your expertise in finding a way to solve my problem.Please excuse if this is not the right forum to ask this question and guide me to the correct forum,if possible. I am a DBA and on a daily basis i have to ftp huge dump files from my company server to my laptop and then... (3 Replies)
Discussion started by: kunwar
3 Replies

4. Shell Programming and Scripting

KSH fetching files from server A onto server B and putting on server C

Dear Friends, Sorry for this basic request. But I just started learning Ksh recently and still I am a newbie in this field. Q: I have files on one server and the date format is 20121001000009_224625.in which has year (yyyy) month (mm) and date (dd). I have these files on server A. The task... (8 Replies)
Discussion started by: BrownBob
8 Replies

5. Shell Programming and Scripting

Connect to server-1 from server-2 and get a file from server-1

I need to connect to a ftp server-1 from linux server-2 and copy/get a file from server-1 which follows a name pattern of FILENAME* (located on the root directory) and copy on a directory on server-2. Later, I have to use this file for ETL loading... For this I tried using as below /usr/bin/ftp... (8 Replies)
Discussion started by: dhruuv369
8 Replies

6. Shell Programming and Scripting

Shell script to copy a file from one server to anther server and execute the binary

Hi , Is there any script to copy a files (weblogic bianary + silent.xml ) from one server (linux) to another servers and then execute the copy file. We want to copy a file on multiple servers and run the installation. Thanks (1 Reply)
Discussion started by: Nawrajesh
1 Replies

7. UNIX for Dummies Questions & Answers

Transfer file from server B to server C and running the script on server A

I have 3 servers A, B, C and server B is having some files in /u01/soa/ directory, these files i want to copy to server C, and i want to run the script from server A. Script(Server A) --> Files at Server B (Source server) --> Copy the files to Server C(Target Server). We dont have RSA key... (4 Replies)
Discussion started by: kiran_j
4 Replies

8. Solaris

Script to get files from remote server to local server through sftp without prompting for password

Hi, I am trying to automate the process of fetching files from remote server to local server through sftp. I have the username and password for the remote solaris server. But I need to give password manually everytime i run the script. Can anyone help me in automating the script such that it... (3 Replies)
Discussion started by: ssk250
3 Replies

9. UNIX for Dummies Questions & Answers

Please help my computer has been compromised

Hi everyone, I hope I am posting in the right spot and I really need some help. I am going through a horrible divorce and I am afraid that my husband has compromised . He set up my mac computer and router and for my job set up remote access for me. I caught him cheating on me and I think he... (6 Replies)
Discussion started by: kk243665
6 Replies
All times are GMT -4. The time now is 02:53 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy