Comprimised Linux server! - Security

This is a discussion on Comprimised Linux server! - Security ; So me and a new guy at work (we just started a couple of months ago) were poking around our main Linux web server. We pulled a .tar backup from the server to look around, and it was 12GB. Well, ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Comprimised Linux server!

  1. Comprimised Linux server!

    So me and a new guy at work (we just started a couple of months ago)
    were poking around our main Linux web server. We pulled a .tar backup
    from the server to look around, and it was 12GB. Well, as it turns out
    11GB of that is movies, porn, applications / general warez -- all in
    GERMAN. Also, many of the php file seem to be infected with malicious
    "trojan code" as Symantec has it labeled.

    It looks like the entire server has basically been comprimised.

    I would like to trace the intruders, if possible, which have all of the
    files placed in an "invisible" folder (to Linux, but viewable via
    NTFS/Windows) under a cgi-bin directory of a virtual website (which I
    will not name).

    Anyone have experiene with situations like these? I don't want to
    delete the files right off the bat, because I'd like to catch the IP of
    these guys and catch them in the act and find the security breaches of
    the server and vulnerabilities.

    >From there, who knows -- probably a new server / fresh install of a new

    OS.

    Might I also add, we just found out today that telnet is also enabled
    on the server (!!!) though we have been ssh'ing to it and directly root
    access ie ENABLED...


  2. Re: Comprimised Linux server!

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Tom wrote, On 03/20/2006 11:51 PM:
    > So me and a new guy at work (we just started a couple of months ago)
    > were poking around our main Linux web server. We pulled a .tar backup
    > from the server to look around, and it was 12GB. Well, as it turns out
    > 11GB of that is movies, porn, applications / general warez -- all in
    > GERMAN. Also, many of the php file seem to be infected with malicious
    > "trojan code" as Symantec has it labeled.
    >
    > It looks like the entire server has basically been comprimised.
    >
    > I would like to trace the intruders, if possible, which have all of the
    > files placed in an "invisible" folder (to Linux, but viewable via
    > NTFS/Windows) under a cgi-bin directory of a virtual website (which I
    > will not name).
    >
    > Anyone have experiene with situations like these? I don't want to
    > delete the files right off the bat, because I'd like to catch the IP of
    > these guys and catch them in the act and find the security breaches of
    > the server and vulnerabilities.
    >
    >>From there, who knows -- probably a new server / fresh install of a new

    > OS.
    >
    > Might I also add, we just found out today that telnet is also enabled
    > on the server (!!!) though we have been ssh'ing to it and directly root
    > access ie ENABLED...
    >


    Save the trouble. Wipe the system clean and rebuild from scratch.

    just my two cents.

    - --
    - ----------------------------
    Kristian Fiskerstrand
    http://www.kfwebs.net
    - ----------------------------
    http://www.secure-my-email.com
    http://www.secure-my-internet.com
    http://www.yourblog.in
    - ----------------------------
    Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3-cvs (GNU/Linux)
    Comment: http://www.secure-my-email.com
    Comment: http://www.secure-my-internet.com

    iQIVAwUBRB81aRbgz41rC5UIAQhsNhAAktkawH8rX7YHJ/wPGlfoj3h6WQFKiFFU
    CsLLDJk5LnRKsbI2AnvRKxeJAWd/tVrYV2JK7yTLsDvf9xbGhm357myPsiG4LoLE
    4C2ToJyTvSo2PNKN6dhllx2T4WS33I9uLmZijWlSpnvqFxqaFl fBvG1aD7M3ga2h
    mTd+NWubC6e7PeczaAaYktC7BLJRbR0lfTPHR89UMqPgs03JGb kO3XzAE8q0kLgw
    HK68QAsZUFYrPYtD2VRsUosScN9YhQu9w1CRk+AzUJclsTVfSb kNOOPMM0rw9d6E
    PxwyYoiT+7TuF+TPw780sHK/wfwddsfrBoNBzXQsy1Ejum8bb22QfNC7SZ4jHnse
    YVxSFNT/ASt7Ry2G0JYumd5e10l4/0AlXFI2aSvXTPPwlgk5FZ4p81f9NPMEmb5S
    avFE5AvmnyiYxGSI6xQgh6E5OQbhpFGBGBzUg+SAqemAF150Q5 aX8+bdOLSQvELS
    wKbXhCIEosmuy1NdimAdAsoT7fFrY3hRP+RY1TlzvWJFJjnt9W qRlK8SOnJojpJe
    xgxRvC5Siesv+LxXclsTMQCyo2rVbGWjn5VTbtiP/vp8Zg47s3Ghnm3SOqJb9Feq
    p5qwd64S08zKhMDSqidxEgtGvpMHz1zu+/NQzlzx44z9kpR/7LbLDVxbqbAY5hWD
    /L9GCU0viE4=
    =af0R
    -----END PGP SIGNATURE-----

  3. Re: Comprimised Linux server!

    Kristian Fiskerstrand wrote:
    > Tom wrote, On 03/20/2006 11:51 PM:
    >>>So me and a new guy at work (we just started a couple of months ago)
    >>>were poking around our main Linux web server. We pulled a .tar backup
    >>>from the server to look around, and it was 12GB. Well, as it turns out
    >>>11GB of that is movies, porn, applications / general warez -- all in
    >>>GERMAN. Also, many of the php file seem to be infected with malicious
    >>>"trojan code" as Symantec has it labeled.
    >>>
    >>>It looks like the entire server has basically been comprimised.
    >>>
    >>>I would like to trace the intruders, if possible, which have all of the

    .....snippity...

    > Save the trouble. Wipe the system clean and rebuild from scratch.
    >
    > just my two cents.


    I agree. What do you "think" you are going to do to the
    perpetrators if found??

    Remember, there are thousands of these folks standing in
    line to hack your box... can't get em all!!

    Better to focus on locking your box down rather than
    focusing on revenge.

  4. Re: Comprimised Linux server!

    How should I port the sites over from backup when they are most likely
    infected?

    This will mean lost money from downtime due to customers, not to
    mention the possiblity we might LOSE some customers if I need to take
    their sites down....


    Chris Cox wrote:
    > Kristian Fiskerstrand wrote:
    > > Tom wrote, On 03/20/2006 11:51 PM:
    > >>>So me and a new guy at work (we just started a couple of months ago)
    > >>>were poking around our main Linux web server. We pulled a .tar backup
    > >>>from the server to look around, and it was 12GB. Well, as it turns out
    > >>>11GB of that is movies, porn, applications / general warez -- all in
    > >>>GERMAN. Also, many of the php file seem to be infected with malicious
    > >>>"trojan code" as Symantec has it labeled.
    > >>>
    > >>>It looks like the entire server has basically been comprimised.
    > >>>
    > >>>I would like to trace the intruders, if possible, which have all of the

    > ....snippity...
    >
    > > Save the trouble. Wipe the system clean and rebuild from scratch.
    > >
    > > just my two cents.

    >
    > I agree. What do you "think" you are going to do to the
    > perpetrators if found??
    >
    > Remember, there are thousands of these folks standing in
    > line to hack your box... can't get em all!!
    >
    > Better to focus on locking your box down rather than
    > focusing on revenge.



  5. Re: Comprimised Linux server!

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Tom wrote, On 03/21/2006 01:23 AM:
    > How should I port the sites over from backup when they are most likely
    > infected?
    >
    > This will mean lost money from downtime due to customers, not to
    > mention the possiblity we might LOSE some customers if I need to take
    > their sites down....


    http://en.wikipedia.org/wiki/Sunk_cost

    - --
    - ----------------------------
    Kristian Fiskerstrand
    http://www.kfwebs.net
    - ----------------------------
    http://www.secure-my-email.com
    http://www.secure-my-internet.com
    http://www.yourblog.in
    - ----------------------------
    Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3-cvs (GNU/Linux)

    iQIVAwUBRB9QBRbgz41rC5UIAQi/YA/8D5m8kdpU3VgKbSGlx2UqWCrnEPH4L7vL
    9hkOFGYBBqnCWM5I9r5Y07cVZ+UIshfCakhx6/L51ohM+9hzuH7oCJ5ujcmRWcLw
    6S+V07JLIPTF39gSkv8bC9ADYb0Iqsc/81/nEQ40IVaw51YEv7Dv5iYeFVoPPW1m
    e9H8WoLHgI37AWhZ4OMn+2cNOIjHNfLEUbqzHZiqv7hjGt1o85 5J++i77BJCttou
    BiNXpIYWbwh0zB2vl2JQz3wH6pzQsIQ9d9/xeKrNtwodLRL22eYVXjVwQzDaU1Qh
    mQyP0zBOhurs6iaIJvGaQkV2WkRC+GUO6zWXzIR9YwqcZEuxWb uV469nE3SA6Vqf
    dLKUfi3Ah9DSqYF6nnn9zhZQSjsEY7mxabXHi2yoCVFW1hGZml k0EX4O8RZoLnmS
    CmFIW5hkuXtTExjkmETJGvyKyShLkZ2fbQHRi6QbStu3HVGutQ y5dnEZQZumpgTw
    LGmoRKesPqDtCX8V/PKq113EKY3XpBvH/5szlvKET3JbCVhH4qgigSuLxHQ5j1/L
    3hdW6vOf+RYVExlYo012F0iEaLKqxwO98zd5xmae2XhP47BfRR qsvGAfUwcSu56P
    xwcwXHCp/Cldsxq4IOGS0d1wpeOk/hb1EPZkaaKDTgs994U/lJKfo3wy51d2he5c
    ZTvD18IjIkc=
    =KUaH
    -----END PGP SIGNATURE-----

  6. Re: Comprimised Linux server!

    On 20 Mar 2006 16:23:57 -0800, "Tom" wrote:

    >How should I port the sites over from backup when they are most likely
    >infected?


    The system is compromised, as you may be too, depending on the content
    you've been serving, and local laws.

    Start clean, and I do mean zero then format OS partitions before
    re-install, 'when in doubt, chuck it out'. Otherwise you get to
    do all this over again next month.

    Grant.
    --
    Memory fault -- brain fried

  7. Re: Comprimised Linux server!

    I'll keep this anonymous, but check these out (note telnet):

    Code:
    [root@server cgi-bin]# nmap -v 10.2.2.21
    
    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-20
    19:36 CST
    Initiating SYN Stealth Scan against host-10-2-2-21.domain.com
    (10.2.2.21) [1663 ports] at 19:36
    Discovered open port 23/tcp on 10.2.2.21
    Discovered open port 443/tcp on 10.2.2.21
    Discovered open port 80/tcp on 10.2.2.21
    Discovered open port 22/tcp on 10.2.2.21
    Discovered open port 25/tcp on 10.2.2.21
    Discovered open port 139/tcp on 10.2.2.21
    Discovered open port 802/tcp on 10.2.2.21
    Discovered open port 917/tcp on 10.2.2.21
    Discovered open port 81/tcp on 10.2.2.21
    Discovered open port 111/tcp on 10.2.2.21
    Discovered open port 6969/tcp on 10.2.2.21
    The SYN Stealth Scan took 0.12s to scan 1663 total ports.
    Host host-10-2-2-21.domain.com (10.2.2.21) appears to be up ... good.
    Interesting ports on host-.domain.com (10.2.2.21):
    (The 1652 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    22/tcp open ssh
    23/tcp open telnet
    25/tcp open smtp
    80/tcp open http
    81/tcp open hosts2-ns
    111/tcp open rpcbind
    139/tcp open netbios-ssn
    443/tcp open https
    802/tcp open unknown
    917/tcp open unknown
    6969/tcp open acmsoda
    
    Nmap finished: 1 IP address (1 host up) scanned in 0.258 seconds
    Raw packets sent: 1665 (66.6KB) | Rcvd: 3339 (134KB)
    Grant wrote:
    > On 20 Mar 2006 16:23:57 -0800, "Tom" wrote:
    >
    > >How should I port the sites over from backup when they are most likely
    > >infected?

    >
    > The system is compromised, as you may be too, depending on the content
    > you've been serving, and local laws.
    >
    > Start clean, and I do mean zero then format OS partitions before
    > re-install, 'when in doubt, chuck it out'. Otherwise you get to
    > do all this over again next month.
    >
    > Grant.
    > --
    > Memory fault -- brain fried



  8. Re: Comprimised Linux server!

    Tom wrote:
    > So me and a new guy at work (we just started a couple of months ago)
    > were poking around our main Linux web server. We pulled a .tar backup
    > from the server to look around, and it was 12GB. Well, as it turns out
    > 11GB of that is movies, porn, applications / general warez -- all in
    > GERMAN. Also, many of the php file seem to be infected with malicious
    > "trojan code" as Symantec has it labeled.
    > It looks like the entire server has basically been comprimised.


    Start here:
    http://www.cert.org/tech_tips/win-UN...ompromise.html


  9. Re: Comprimised Linux server!


    "Tom" wrote in message
    news:1142905255.272330.88140@u72g2000cwu.googlegro ups.com...
    > I'll keep this anonymous, but check these out (note telnet):
    >
    >
    Code:
    > [root@server cgi-bin]# nmap -v 10.2.2.21
    >
    > Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-20
    > 19:36 CST
    > Initiating SYN Stealth Scan against host-10-2-2-21.domain.com
    > (10.2.2.21) [1663 ports] at 19:36
    > Discovered open port 23/tcp on 10.2.2.21
    > Discovered open port 443/tcp on 10.2.2.21
    > Discovered open port 80/tcp on 10.2.2.21
    > Discovered open port 22/tcp on 10.2.2.21
    > Discovered open port 25/tcp on 10.2.2.21
    > Discovered open port 139/tcp on 10.2.2.21
    > Discovered open port 802/tcp on 10.2.2.21
    > Discovered open port 917/tcp on 10.2.2.21
    > Discovered open port 81/tcp on 10.2.2.21
    > Discovered open port 111/tcp on 10.2.2.21
    > Discovered open port 6969/tcp on 10.2.2.21
    > The SYN Stealth Scan took 0.12s to scan 1663 total ports.
    > Host host-10-2-2-21.domain.com (10.2.2.21) appears to be up ... good.
    > Interesting ports on host-.domain.com (10.2.2.21):
    > (The 1652 ports scanned but not shown below are in state: closed)
    > PORT STATE SERVICE
    > 22/tcp open ssh
    > 23/tcp open telnet
    > 25/tcp open smtp
    > 80/tcp open http
    > 81/tcp open hosts2-ns
    > 111/tcp open rpcbind
    > 139/tcp open netbios-ssn
    > 443/tcp open https
    > 802/tcp open unknown
    > 917/tcp open unknown
    > 6969/tcp open acmsoda
    >
    > Nmap finished: 1 IP address (1 host up) scanned in 0.258 seconds
    > Raw packets sent: 1665 (66.6KB) | Rcvd: 3339 (134KB)
    >
    >
    > Grant wrote:
    >> On 20 Mar 2006 16:23:57 -0800, "Tom" wrote:
    >>
    >> >How should I port the sites over from backup when they are most likely
    >> >infected?

    >>
    >> The system is compromised, as you may be too, depending on the content
    >> you've been serving, and local laws.
    >>
    >> Start clean, and I do mean zero then format OS partitions before
    >> re-install, 'when in doubt, chuck it out'. Otherwise you get to
    >> do all this over again next month.
    >>
    >> Grant.
    >> --
    >> Memory fault -- brain fried

    >


    Another 2 cents.

    You did not describe the business this server performs. If it is a web
    server for customers, build a new machine and copy the customer sites over.
    Then exchange machines in off hours.

    Doug



  10. Re: Comprimised Linux server!

    "Tom" said:
    >How should I port the sites over from backup when they are most likely
    >infected?
    >
    >This will mean lost money from downtime due to customers, not to
    >mention the possiblity we might LOSE some customers if I need to take
    >their sites down....


    How about losing customers after someone contacts them due to content
    on their sites / due to their sites spreading malware?

    Please, act to save your customers from being contacted. Be proactive;
    have a customer rep contact your customers and explain the situation
    and the consequences - and negotiate a deal.
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)

+ Reply to Thread