Discussion in 'General' started by dactor, Mar 23, 2009.

  1. dactor

    dactor New Member


    I have my ispconfig 2.2.19 for the past year or so! for the past 2 weeks we are noticing that user Admispco(which I think is user Admispconfig) is showing with command "stealth" when monitoring with TOP. The traffic of the server goes to highest possible with CPU to 100% untill we kill it.

    Our Datacenter is advising us that our server is engaged with a DDoS attack!!

    now the question is what is this user Admispco or Admispconfig? and how can I check on this process called Stealth!!

    running Ubuntu Gutsy

    Please urgent help. thanks
  2. robilaur

    robilaur New Member

    Stealth is a ddos program that is used to flood..... now... Admispco is not an Ispconfig username. Your server was probably hacked and the attaker made an username (Admispco) and it uses it to flood from it. Delete or change the password of that user and check the login log.... and track the IP that loged in last ... and Su the dumb ass... Oh... and install rkhunter to check for a rootkit.... i`m 100% sure he instaled one to. If u need more help il be happy to help
  3. dactor

    dactor New Member


    I am working on the rkhunter install as we speak. on the other hand, how can i do the other stuff such as log investigation....etc

    Can we have a direct like commo such as chat or irc for a 15-30 mins!

    Thanks alot

  4. dactor

    dactor New Member

    another user pops in when i cat passwd called ispconfigend? is there anything like this in ISPconfig?!

  5. dactor

    dactor New Member

    after i deleted the unknown users admispconfig and ispconfigend now i am receiving over 100 MAIL DELIVERY DAEMON confirmation email per any email i send...with the below msg:

    This is the mail system at MYHOST.

    I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can delete your own text from the attached returned message.

    The mail system

    <[email protected]>: unknown user: "admispconfig"

  6. dactor

    dactor New Member


    now I cant start my http ispconfig control panel....I keep getting this message:

    Starting ISPConfig system...
    ispconfig_httpd: bad user name admispconfig
    /root/ispconfig/httpd/bin/apachectl startssl: httpd could not be started
    WARNING: Can't get information about user admispconfig.
    ISPConfig system is now up and running!

    please someone help me here!

  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Deleting the users admispconfig and admispconfigend was a very bad idea, these users are the users ispconfig is running on. ISPConfig will not work without them and creating new users will not work too as the userids will not match with the original users. I hope that you have a full backup of your system so that you can restore the passwd, shadow and group files from?
  8. dactor

    dactor New Member


    thanks alot. I guess it is my fault now that this happened as I listened to robilaur as you can see above!!!!

    I have a 2 months backupof the server...this will for sure have me lose my clients.....

    is their anything that can loop this matter at least to get my email users names (the ones before the @ not the one used for login)

    thanks again
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats no problem if the backup is 2 months old as long as ispconfig was installed then. Open your backup files, find the files /etc/passwd, /etc/shadow and /etc/group and copy only these two lines for admispconfig and admispconfigend from the backup files to the same files in your current setup.
  10. dactor

    dactor New Member

    so do you advise recreating the users then perform the task of copying?
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    No. Just copy and do not try to recreate the users or you will mess up your setup even more. Before you start make a backup copy of the whole /etc directory, e.g. like this:

    tar pcfz /home/etc_backup.tar.gz /etc

    in case that anything goes wrong.
  12. dactor

    dactor New Member

    what did u mean by copy these two line?!
  13. robilaur

    robilaur New Member

    Sorry for the delay.... dacto i told u to delete the admispco user not the adminispconfig..... ok if u still need help with the rootkit and the stealth program u can reach me on my yahoo messenger id: laurentiu_gal
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    In /etc/passwd, you will find 2 lines similar like these:

    admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
    add these at the end of your /etc/passwd file on the current system.

    Do the same for the 2 lines with admispconfig and ispconfigend that you will find in the passwd and group file.
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    One additional note. If you have roundcube installed, please update it to the latest version. Roundcube had a vulnerability which allowed attackers to place files on your server, as the roundcube .pkg runs on the ispconfig server on port 81 a malicius script will run on the same user "admispconfig" so this might explain why the process occured under that user.

Share This Page