a few days ago (June 19) a server that I manage has suffered an attack.
Analyzing the log I discovered that there were several attempts to access a web scanner called w00tw00t.at.ISC.SANS.DFind
I set the firewall to prevent further visits from this scanner.
The problem is that the server is compromised, however, in the sense that surely someone has gained access to the server and has damaged something.
In fact, everything worked except postfix.
If I tried to start it gives me error:
I tried reinstalling postfix, but was deleted it and also was deleted some modules from plesk, plesk fact now will not start and the sites hosted on the server are not online.
If I try to re-install postfix or plesk always gives me error "can not execute binary file" on some commands, such as "sed" and "tar".
Then analyzing the bin folder I discovered that certainly a number of executables have been compromised, in fact they were modified date of the attack:
All these executables listed do not work (give the error indicated).
How do I restore these executables damaged?
I await help urgently!
Thank you!
P.S. here is more info that may be useful about the server:
Agreed, you do not 'repair' after your box has been rooted, since anything could have been violated, including the ability of the box to properly analyze or repair itself.
Last edited by Corona688; 06-24-2013 at 01:15 PM..
To reiterate what Corona said, your machine is not trustworthy. Do not believe anything it says.
You cannot trust what ls says because ls itself may have been modified. Even if ls is trustworthy, if the kernel has been modified, then the stat system call that ls uses to obtain file metadata (which includes timestamps) cannot be trusted.
As an aside, your ls command is using modification times to identify compromised executables. Even if ls and the kernel can be trusted, mtimes can be trivially forged with privilege and a system call. While ctimes are not normally forgeable in that way, given root and malicious intent, metadata can be modified arbitrarily.
No rest for the weary, a Revive Ad Server I am responsible for experienced a MySQL injection attack due to a vulnerability uncovered in the past few months. I was busy developing Vue.js code for the forums and thought to myself "I will get around to upgrading to Revive 4.2.0 (supposedly the... (0 Replies)
Hi ,
Is there any script to copy a files (weblogic bianary + silent.xml ) from one server (linux) to another servers and then execute the copy file.
We want to copy a file on multiple servers and run the installation.
Thanks (1 Reply)
Hi Friends,
This is logs of my mail log:
mail for yahoo.com.tw is using up 4001 of 6992 active queue entries : 1 Time(s)
mail for yahoo.com.tw is using up 4001 of 7018 active queue entries : 1 Time(s)
mail for yahoo.com.tw is using up 4001 of 7072 active queue entries : 1 Time(s)
... (1 Reply)
How to copy a binary from one server and paste it to another server?
Please help...
On server A there is a binary with size 0...I need to copy a binary from server B and replace the 0 size binary on Server A.
Kindly Help (3 Replies)
Hi,
I am a newbie to AIX. We have 2 AIX5.3 servers in our environment, I need to transfer some files in Binary mode from one server to another and some files in ASCII mode from one server to another server. Could you please help me as to how I need to do that?
Thanks,
Rakesh (4 Replies)
Hi,
For an automated install, an install script runs locally on the machine being installed on. This "install script" has to install programs that are located on the install server. How can I script this?I (1 Reply)
heloo
today i have DDos Attack in my server
what is the better way to secure my server from DDos Attack
i use CentOS 4&5
i try every firewall and talk to softlayer - iweb i've Tried every possible solutions but I can not find a solution to the problems
Give Me The best way plzz (4 Replies)
Hi All,
I need a solution on my following find command
find ./.. -name '*.file' -print
BTW This gives me the output as belows
./rtlsim/test/ADCONV0/infile/ad0_dagctst.file
./rtlsim/test/ADCONV0/user_command.file
./rtlsim/test/ADCONV0/simv.daidir/scsim.db.dir/scsim.db.file... (2 Replies)
Hi there, i have sun solaris 10 running on X86 system P4 box with ATA harddisk, anyway suddenly its started to try to login to the maintenance mode asking for the root password when i give it its mount the partitions as read only but when i try to run fsck on them i got this error: can't stat... (3 Replies)