Clean the Server After Hacking
And then like a bolt from the Sky, in the morning I see in the mail, "The Family, a server of Malicious Activity". All anything, but have not had any letters that is some sort of activity. And the main thing that has left a support to the global cold, because what is imputed on the issue of the Old gave 12 hours and the server returned to the ONLINE status even after 3-4 hours.
During this time I had already critical services on cloud DO and stupid when I was waiting for my turn on a satellite grid. In the words of tech support from my server was brute force ssh server in the network AmeriNOC.
Frankly I do not believe it and thought it was gone, because I have several times had similar themes with different hosting when I suspended server for what that activity, which was not confirmed later, after the all including stupid worked on.
But for the cleaning of the soul, he decided to see what all the same traces. Well, I decided to search based on text files for Brutus, without which it is clear that the package cannot run. And as it turned out, for good reason.
# Find / -name * .txt -ctime -1
/var/wm/libssh2/go2/72.txt
/var/wm/libssh2/go2/bios.txt
/var/wm/libssh2/go2/216.txt
/var/wm/libssh2/go2/users.txt
/var/wm/libssh2/go2/vuln.txt
/var/wm/libssh2/go2/73.txt
/var/wm/libssh2/go2/testver.txt
/var/wm/libssh2/go2/pass.txt
/var/wm/libssh2/go2/73vuln.txt
/var/cache/yum/i386/6/base/mirrorlist.txt
/var/cache/yum/i386/6/extras/mirrorlist.txt
/var/cache/yum/i386/6/timedhosts.txt
/var/cache/yum/i386/6/updates/mirrorlist.txt
As we see necessary to set libssh2 script Brutus:
Look who logged into the system and see an interesting situation - a log of connections sshd sees the root entry in the 2 and 4 am 8.04 (I'm on the server did not appear for two weeks), while the last one does not see just from the last date of my call.
Again, if you go direct to the binary ravine from which it takes infu last, there is no any information about a connection: # utmpdump / var / log / wtmp | grep 'Wed Apr 08.
In theory, hackers could wipe along tail after zarutili host incl trying to find an entry point.
To start the machine using RootKitHunter: # sudo rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm # yum -y install rkhunter rkhunter -update # # rkhunter -propupd # rkhunter -c after scanning look that he found Hunter: # grep Warning /var/log/rkhunter.log and see that some positives in the Vals, Tyrol, system files and scripts.
Then put Shkrootkit # yum install chkrootkit # chkrootkit He found a hole Checking `bindshell '... INFECTED (PORTS: 465) but I'm sitting on a server postman who just listens to SSL on port 465, divided into the same empty. For greater certainty check it: # netstat -pan | grep ': 465' tcp 0 0.0.0.0:465 0.0.0.0:* LISTEN 0 1085 / exim tcp 0 465 0 ::: ::: * LISTEN 1085 / exim # ps -F -p 1085 UID PID PPID C SZ RSS STIME the PSR TTY TIME CMD mail 1085 1 0 2744 1144 0 Apr08? 00:00:00 / usr / sbin / exim -bd -q15m -oP /var/run/exim.pid
Now put Antivirus, but first it is necessary to roll zlibs without which for some reason did not want to put clamd: # yum -y install zlib-devel # yum -y install clamd # freshclam and feed the klamavu data files: # clamscan / home / hacknet / domains / bad -site / public_html / wp-content / themes / itheme2 / functions.php
You Might Be Interested in: VMware ESXi
