Hello I have my ispconfig 2.2.19 for the past year or so! for the past 2 weeks we are noticing that user Admispco(which I think is user Admispconfig) is showing with command "stealth" when monitoring with TOP. The traffic of the server goes to highest possible with CPU to 100% untill we kill it. Our Datacenter is advising us that our server is engaged with a DDoS attack!! now the question is what is this user Admispco or Admispconfig? and how can I check on this process called Stealth!! running Ubuntu Gutsy Please urgent help. thanks
Stealth is a ddos program that is used to flood..... now... Admispco is not an Ispconfig username. Your server was probably hacked and the attaker made an username (Admispco) and it uses it to flood from it. Delete or change the password of that user and check the login log.... and track the IP that loged in last ... and Su the dumb ass... Oh... and install rkhunter to check for a rootkit.... i`m 100% sure he instaled one to. If u need more help il be happy to help
Hello I am working on the rkhunter install as we speak. on the other hand, how can i do the other stuff such as log investigation....etc Can we have a direct like commo such as chat or irc for a 15-30 mins! Thanks alot R
another user pops in when i cat passwd called ispconfigend? is there anything like this in ISPconfig?! thanks
after i deleted the unknown users admispconfig and ispconfigend now i am receiving over 100 MAIL DELIVERY DAEMON confirmation email per any email i send...with the below msg: This is the mail system at MYHOST. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <[email protected]>: unknown user: "admispconfig" PLEASE URGENT HELP
Hi, now I cant start my http ispconfig control panel....I keep getting this message: Starting ISPConfig system... ispconfig_httpd: bad user name admispconfig /root/ispconfig/httpd/bin/apachectl startssl: httpd could not be started WARNING: Can't get information about user admispconfig. ISPConfig system is now up and running! please someone help me here! thanks
Deleting the users admispconfig and admispconfigend was a very bad idea, these users are the users ispconfig is running on. ISPConfig will not work without them and creating new users will not work too as the userids will not match with the original users. I hope that you have a full backup of your system so that you can restore the passwd, shadow and group files from?
Till thanks alot. I guess it is my fault now that this happened as I listened to robilaur as you can see above!!!! I have a 2 months backupof the server...this will for sure have me lose my clients..... is their anything that can loop this matter at least to get my email users names (the ones before the @ not the one used for login) thanks again
Thats no problem if the backup is 2 months old as long as ispconfig was installed then. Open your backup files, find the files /etc/passwd, /etc/shadow and /etc/group and copy only these two lines for admispconfig and admispconfigend from the backup files to the same files in your current setup.
No. Just copy and do not try to recreate the users or you will mess up your setup even more. Before you start make a backup copy of the whole /etc directory, e.g. like this: tar pcfz /home/etc_backup.tar.gz /etc in case that anything goes wrong.
Sorry for the delay.... dacto i told u to delete the admispco user not the adminispconfig..... ok if u still need help with the rootkit and the stealth program u can reach me on my yahoo messenger id: laurentiu_gal
In /etc/passwd, you will find 2 lines similar like these: Code: admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash ispconfigend:x:20000:20000::/home/ispconfigend:/usr/sbin/nologin add these at the end of your /etc/passwd file on the current system. Do the same for the 2 lines with admispconfig and ispconfigend that you will find in the passwd and group file.
One additional note. If you have roundcube installed, please update it to the latest version. Roundcube had a vulnerability which allowed attackers to place files on your server, as the roundcube .pkg runs on the ispconfig server on port 81 a malicius script will run on the same user "admispconfig" so this might explain why the process occured under that user.
