Hacked server

Discussion in 'Installation/Configuration' started by Captain, Dec 20, 2010.

  1. Captain

    Captain Member

    Hello!

    Have a big problem my server is hacked.
    I have ISPConfig2 final.
    Hacker have full list of my /var/www catalogs.
    And have ftp access to all users.
    Have passwords from ftp. How it can be? As I know all password is encrypted.
    No one user have Shell Access in my ISPConfig.
    In auth.log all clean.
    In other logs I did not see anything wrong.

    In htop I see one service who has 100% it is /usr/sbin/apache2 -k start, he change PID but still 100%

    chkrootkit log:
    Code:
    root@itex:~# chkrootkit
    ROOTDIR is `/'
    Checking `amd'...                                           not found
    Checking `basename'...                                      not infected
    Checking `biff'...                                          not found
    Checking `chfn'...                                          not infected
    Checking `chsh'...                                          not infected
    Checking `cron'...                                          not infected
    Checking `crontab'...                                       not infected
    Checking `date'...                                          not infected
    Checking `du'...                                            not infected
    Checking `dirname'...                                       not infected
    Checking `echo'...                                          not infected
    Checking `egrep'...                                         not infected
    Checking `env'...                                           not infected
    Checking `find'...                                          not infected
    Checking `fingerd'...                                       not found
    Checking `gpm'...                                           not found
    Checking `grep'...                                          not infected
    Checking `hdparm'...                                        not infected
    Checking `su'...                                            not infected
    Checking `ifconfig'...                                      not infected
    Checking `inetd'...                                         not infected
    Checking `inetdconf'...                                     not infected
    Checking `identd'...                                        not found
    Checking `init'...                                          not infected
    Checking `killall'...                                       not infected
    Checking `ldsopreload'...                                   not infected
    Checking `login'...                                         not infected
    Checking `ls'...                                            not infected
    Checking `lsof'...                                          not infected
    Checking `mail'...                                          not found
    Checking `mingetty'...                                      not found
    Checking `netstat'...                                       not infected
    Checking `named'...                                         not infected
    Checking `passwd'...                                        not infected
    Checking `pidof'...                                         not infected
    Checking `pop2'...                                          not found
    Checking `pop3'...                                          not found
    Checking `ps'...                                            not infected
    Checking `pstree'...                                        not infected
    Checking `rpcinfo'...                                       not infected
    Checking `rlogind'...                                       not found
    Checking `rshd'...                                          not found
    Checking `slogin'...                                        not infected
    Checking `sendmail'...                                      not infected
    Checking `sshd'...                                          not infected
    Checking `syslogd'...                                       not tested
    Checking `tar'...                                           not infected
    Checking `tcpd'...                                          not infected
    Checking `tcpdump'...                                       not infected
    Checking `top'...                                           not infected
    Checking `telnetd'...                                       not found
    Checking `timed'...                                         not found
    Checking `traceroute'...                                    not found
    Checking `vdir'...                                          not infected
    Checking `w'...                                             not infected
    Checking `write'...                                         not infected
    Checking `aliens'...                                        no suspect files
    Searching for sniffer's logs, it may take a while...        nothing found
    Searching for rootkit HiDrootkit's default files...         nothing found
    Searching for rootkit t0rn's default files...               nothing found
    Searching for t0rn's v8 defaults...                         nothing found
    Searching for rootkit Lion's default files...               nothing found
    Searching for rootkit RSHA's default files...               nothing found
    Searching for rootkit RH-Sharpe's default files...          nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
    /usr/lib/pymodules/python2.6/.path
    
    Searching for LPD Worm files and dirs...                    nothing found
    Searching for Ramen Worm files and dirs...                  nothing found
    Searching for Maniac files and dirs...                      nothing found
    Searching for RK17 files and dirs...                        nothing found
    Searching for Ducoci rootkit...                             nothing found
    Searching for Adore Worm...                                 nothing found
    Searching for ShitC Worm...                                 nothing found
    Searching for Omega Worm...                                 nothing found
    Searching for Sadmind/IIS Worm...                           nothing found
    Searching for MonKit...                                     nothing found
    Searching for Showtee...                                    nothing found
    Searching for OpticKit...                                   nothing found
    Searching for T.R.K...                                      nothing found
    Searching for Mithra...                                     nothing found
    Searching for LOC rootkit...                                nothing found
    Searching for Romanian rootkit...                           nothing found
    Searching for Suckit rootkit...                             nothing found
    Searching for Volc rootkit...                               nothing found
    Searching for Gold2 rootkit...                              nothing found
    Searching for TC2 Worm default files and dirs...            nothing found
    Searching for Anonoying rootkit default files and dirs...   nothing found
    Searching for ZK rootkit default files and dirs...          nothing found
    Searching for ShKit rootkit default files and dirs...       nothing found
    Searching for AjaKit rootkit default files and dirs...      nothing found
    Searching for zaRwT rootkit default files and dirs...       nothing found
    Searching for Madalin rootkit default files...              nothing found
    Searching for Fu rootkit default files...                   nothing found
    Searching for ESRK rootkit default files...                 nothing found
    Searching for rootedoor...                                  nothing found
    Searching for ENYELKM rootkit default files...              nothing found
    Searching for common ssh-scanners default files...          nothing found
    Searching for suspect PHP files...                          nothing found
    Searching for anomalies in shell history files...           nothing found
    Checking `asp'...                                           not infected
    Checking `bindshell'...                                     INFECTED (PORTS:  1524 6667 31337)
    Checking `lkm'...                                           chkproc: nothing detected
    chkdirs: nothing detected
    Checking `rexedcs'...                                       not found
    Checking `sniffer'...                                       lo: not promisc and no packet sniffer sockets
    eth0: not promisc and no packet sniffer sockets
    Checking `w55808'...                                        not infected
    Checking `wted'...                                          chkwtmp: nothing deleted
    Checking `scalper'...                                       not infected
    Checking `slapper'...                                       not infected
    Checking `z2'...                                            chklastlog: nothing deleted
    Checking `chkutmp'...                                       chkutmp: nothing deleted
    Checking `OSX_RSPLUG'...                                    not infected
    
    
    in rkhunter:
    Code:
    Warning: The file properties have changed:
             File: /bin/cat
             Current hash: e97ebdac9d5b18b608946cc379a9f7fff7d92353
             Stored hash : b4459e224fc2e864e605c4b5e2148598afbf7d0b
             Current inode: 10887308    Stored inode: 10887210
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/chmod
             Current hash: 73108f0862817a044ed09e1f6f2c4ed72eea14f6
             Stored hash : 9deabae4c35c3488ce25aed6b9b7bdddf48cdadb
             Current inode: 10887294    Stored inode: 10887233
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/chown
             Current hash: 8d341f31ec01fe4cebfec3b1a6da299f957a1f8a
             Stored hash : 900cd762fe71289f69790e7f16e616716a1c1786
             Current inode: 10887216    Stored inode: 10887234
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/cp
             Current hash: c8ca8827835e6a9d55acc4ff15dd52742c74dcdf
             Stored hash : fb853246b80622a3f6a1995d13ffd3802f38c8b1
             Current inode: 10887299    Stored inode: 10887236
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/date
             Current hash: 7fb8e614b5a2f0f2983533302c8dad8885f73338
             Stored hash : 507ce363537fc49d5bfecdfebd7b769f69c416d5
             Current inode: 10887295    Stored inode: 10887251
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/df
             Current hash: 3e691e8aebed0b0fd113b4926f653e81f9ac7e93
             Stored hash : bd9c4d8777ba27ed3503035657d0f3cd099a5fa9
             Current inode: 10887302    Stored inode: 10887255
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/echo
             Current hash: 9c0c91f011e6f8e143d714d61abfe9037a763642
             Stored hash : 0827d20d70ebdd7dab3d5ef2413bd12167f13a13
             Current inode: 10887311    Stored inode: 10887257
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/ls
             Current hash: a2b9552a4ad2d2f2da70709d625e021f2f8236e0
             Stored hash : a1b43a43a2bf5f603e96d42f4e4400c0efad500a
             Current inode: 10887229    Stored inode: 10887260
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/mktemp
             Current hash: 1dcbbf4346dab185de281c3ba0642e385c2f73a7
             Stored hash : fb4891ada858bc911dfeae21e401916e0791bbf5
             Current inode: 10887304    Stored inode: 10887314
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/mv
             Current hash: 3b4508d59c6215ea6144c6f69a1c16af998731a0
             Stored hash : 22199c64e9bccc0e0daf5b1d14a72286cbbab373
             Current inode: 10887307    Stored inode: 10887268
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/pwd
             Current hash: 209f342ecc209ff76ef8a5c27410cc1242873a53
             Stored hash : 0c533b7192c2b459ddedc74549130d14925329ea
             Current inode: 10887305    Stored inode: 10887269
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/readlink
             Current hash: 624851b7b0d9197e92300cf094a8f813217aa679
             Stored hash : 172313f00bb722e482e89557cd2fdb93e719af27
             Current inode: 10887230    Stored inode: 10887272
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/touch
             Current hash: 2a6e3c1ba3e644caa600c14b82776e3f48641b43
             Stored hash : 430faece0db16f66bdcdf9af8ac31fca2b6dae2d
             Current inode: 10887309    Stored inode: 10887280
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /bin/uname
             Current hash: 114fe62c6bec5d64be2d16596e9201cac4dec4a8
             Stored hash : dc4c05156a0b404f168849f35082ae1d30d117d1
             Current inode: 10887296    Stored inode: 10887313
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/basename
             Current hash: 5383a1a9de7908f013fdaeb43163c8a83141a45a
             Stored hash : 264c7b9a61d79495a95fd4794ce0055166839278
             Current inode: 5849381    Stored inode: 5494094
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/chattr
             Current inode: 5488799    Stored inode: 5488801
             Current file modification time: 1282026587 (17-Aug-2010 09:29:47)
             Stored file modification time : 1271651439 (19-Apr-2010 07:30:39)
    Warning: The file properties have changed:
             File: /usr/bin/cut
             Current hash: 2695f102096a30df2fb41f0c9deb71006ce6334d
             Stored hash : d795c887aacfafea7f5a192b85db48a275e8d2dd
             Current inode: 5850230    Stored inode: 5494065
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/dirname
             Current hash: 4c5f02ceb63f20719ee844fc4f0904a7fa636de0
             Stored hash : bb586d3753df795fc06193f5375e1ba7fd54e53f
             Current inode: 5849371    Stored inode: 5494095
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/dpkg
             Current hash: a0ba8c77acc1ad352df334fa96ff104034839ed0
             Stored hash : d1b801ab6edd934c8b0cf3602ecbf3778299e452
             Current inode: 5849266    Stored inode: 5494358
             Current file modification time: 1286286079 (05-Oct-2010 16:41:19)
             Stored file modification time : 1277742462 (28-Jun-2010 19:27:42)
    Warning: The file properties have changed:
             File: /usr/bin/dpkg-query
             Current hash: e25c63dda635002257ae9567854289e0fd29af6f
             Stored hash : 4b280474ec39aaf7f07af7f9f11736905622d2e0
             Current inode: 6766611    Stored inode: 5494361
             Current file modification time: 1286286079 (05-Oct-2010 16:41:19)
             Stored file modification time : 1277742462 (28-Jun-2010 19:27:42)
    Warning: The file properties have changed:
             File: /usr/bin/du
             Current hash: 48ba70d0f970534d8b83e14e314f038af66a4250
             Stored hash : 7524dda0a64f840d524e5989d5a7f0b78bd21b7a
             Current inode: 5850224    Stored inode: 5494008
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/env
             Current hash: cc76cbf003843a8e1cc24798ef15845f95d9c071
             Stored hash : ee53e355a39c21de9cb235160460827be98e4181
             Current inode: 5849386    Stored inode: 5494096
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/GET
             Current inode: 5489655    Stored inode: 5490133
             Current file modification time: 1283311824 (01-Sep-2010 06:30:24)
             Stored file modification time : 1277047006 (20-Jun-2010 18:16:46)
    Warning: The file properties have changed:
             File: /usr/bin/groups
             Current hash: e5af040ef7917bf9c08c3c2086d1344de29249fb
             Stored hash : 0cd8b1502a4fd12396dfb5e2df98ed3dfee42f44
             Current inode: 5850253    Stored inode: 5494071
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/head
             Current hash: 4c9ec31d346f4eb9753f2741cf75edf26ff27ba1
             Stored hash : 1c67b2c64ace31473febe7ea6b3f4f761e71c649
             Current inode: 5850245    Stored inode: 5494069
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/id
             Current hash: aefc526afed345e18da85cbcb31c5b04add9874f
             Stored hash : 59e87657aba2628c5579281edd7b91241acd0165
             Current inode: 5850244    Stored inode: 5494099
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/ldd
             Current hash: 8279769f4accb9fff41efd0f3c3cdfbb76c29f0a
             Stored hash : 32b0f6e26bc337becb5e4539c8890180607361c4
             Current inode: 5753578    Stored inode: 5491594
             Current file modification time: 1290010999 (17-Nov-2010 18:23:19)
             Stored file modification time : 1276526043 (14-Jun-2010 17:34:03)
    Warning: The file properties have changed:
             File: /usr/bin/lsattr
             Current inode: 5488800    Stored inode: 5488802
             Current file modification time: 1282026587 (17-Aug-2010 09:29:47)
             Stored file modification time : 1271651439 (19-Apr-2010 07:30:39)
    Warning: The file properties have changed:
             File: /usr/bin/md5sum
             Current hash: 4adf0c4adcb76edfa65a67724aa816ce8d30e494
             Stored hash : 1618f47f2b480baed63979ec58783d4b7748342f
             Current inode: 5850192    Stored inode: 5494072
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/runcon
             Current hash: ecde1099b06e37e6cd7fb94d94289c0889172550
             Stored hash : 0107cd99e3104732a3fbc9c44992b4b577ead465
             Current inode: 5849378    Stored inode: 5495343
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/sha1sum
             Current hash: d5d2fb34cad745ae12953c005859f22f62e41325
             Stored hash : 0583612bf59245f7845b2b3019bea7de275ef3b6
             Current inode: 5850165    Stored inode: 5494078
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/sha224sum
             Current hash: 978ba276bf54cb5124d27928a861bd3ad84318b0
             Stored hash : 1f40e2de46097fd28de96fce6d0c184aef34c54d
             Current inode: 5850234    Stored inode: 5494079
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/sha256sum
             Current hash: 661a34018a4e5cb6fe2998e1af7f507f385ddb5d
             Stored hash : bf8b1a1f2ceda14126ab592cd995e105591bf360
             Current inode: 5850200    Stored inode: 5494080
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/sha384sum
             Current hash: 72880bb3433b56a43591ebe04db124fed640e510
             Stored hash : d50583cb1d463dcd8a8170004f96769d474bc3b5
             Current inode: 5850156    Stored inode: 5494081
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/sha512sum
             Current hash: 25e03be6bec7372df8b4af8819030eb5589b8ead
             Stored hash : 540dfcf5ba44dcc7bf0462e0633526b2337386a7
             Current inode: 5850226    Stored inode: 5494082
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/size
             Current inode: 5490399    Stored inode: 5490330
             Current file modification time: 1282315301 (20-Aug-2010 17:41:41)
             Stored file modification time : 1276856121 (18-Jun-2010 13:15:21)
    Warning: The file properties have changed:
             File: /usr/bin/sort
             Current hash: 8eb30a901129950028af373ec819d9bc306c8080
             Stored hash : 06a5511ea8bff3ec9221286cfb0a182d3258052d
             Current inode: 5850247    Stored inode: 5494084
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/stat
             Current hash: 278b154243387600aec64c53c487b511bae71ebd
             Stored hash : 2890a89ffb9017633208ee7dc958a4dfcf7214aa
             Current inode: 5850160    Stored inode: 5494045
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/strings
             Current inode: 5490445    Stored inode: 5490336
             Current file modification time: 1282315301 (20-Aug-2010 17:41:41)
             Stored file modification time : 1276856121 (18-Jun-2010 13:15:21)
    Warning: The file properties have changed:
             File: /usr/bin/sudo
             Current hash: 28282f23881b53b83b8accc9cc050ff033db973e
             Stored hash : e14fc0a01a7f3ada1530a55cbcc34b9b4d041f7d
             Current inode: 5490340    Stored inode: 5489887
             Current file modification time: 1283287154 (31-Aug-2010 23:39:14)
             Stored file modification time : 1276893615 (18-Jun-2010 23:40:15)
    Warning: The file properties have changed:
             File: /usr/bin/tail
             Current hash: dab94cdba093f2a2941157c874037f68cae4a91d
             Stored hash : b2cddf91b08280a60da8c529a73b275fdf3f26dd
             Current inode: 5849383    Stored inode: 5494088
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/test
             Current hash: 62065ae8d6029648f8047db9669cc4772d276931
             Stored hash : cda761fde4e8435cd7b03c8589c4b4eda8295c58
             Current inode: 5850166    Stored inode: 5495346
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/touch
             Current hash: 2a6e3c1ba3e644caa600c14b82776e3f48641b43
             Stored hash : 430faece0db16f66bdcdf9af8ac31fca2b6dae2d
             Current inode: 5850256    Stored inode: 5489846
             Current file modification time: 1286359395 (06-Oct-2010 13:03:15)
             Stored file modification time : 1277046763 (20-Jun-2010 18:12:43)
    Warning: The file properties have changed:
             File: /usr/bin/tr
             Current hash: e9f376e38f57e1131df918cb1ab76b94744f86e9
             Stored hash : f2d44e8d350ea8e73f3a83353a144ce68578fbe5
             Current inode: 5850164    Stored inode: 5494089
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/uniq
             Current hash: 4168e44cfcb992dbe723b96b2801547af247be10
             Stored hash : 43f3e863b58adc31d9628f8991975d2b40611849
             Current inode: 5850231    Stored inode: 5494092
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/users
             Current hash: a1bc94e2706cc6dc3af987a4c0e9b665bbe280b5
             Stored hash : 8767e00225b08e75d0aae78160ccad488d8eaa75
             Current inode: 5850248    Stored inode: 5494003
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/wc
             Current hash: c5c890ed97370d1119658731825161924467f05f
             Stored hash : f72ee7d6a9a57cc1184294d90076da217395998d
             Current inode: 5850158    Stored inode: 5494093
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/wget
             Current hash: 40b6e86e4445320b8df61f0b1aa8244dbe585749
             Stored hash : b61f694dd51488b5abf927098aa38d556ab58ce1
             Current inode: 5489774    Stored inode: 5491972
             Current size: 333396    Stored size: 333364
             Current file modification time: 1283357520 (01-Sep-2010 19:12:00)
             Stored file modification time : 1262786529 (06-Jan-2010 16:02:09)
    Warning: The file properties have changed:
             File: /usr/bin/whatis
             Current hash: 8ac1c97ded7d4c04614ae2b93b8b07f6a21ccbe7
             Stored hash : 5ada41e246dcdf065e4615cd9844bbd4380838a0
             Current inode: 5736584    Stored inode: 5491514
             Current file modification time: 1286285374 (05-Oct-2010 16:29:34)
             Stored file modification time : 1267525905 (02-Mar-2010 12:31:45)
    Warning: The file properties have changed:
             File: /usr/bin/who
             Current hash: 8e4c8189e794c1accce11ba98625ab9d423159ca
             Stored hash : 8ddd2c6fc1e2dece17a1fe159250e7a166ae6c95
             Current inode: 5850237    Stored inode: 5494002
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/whoami
             Current hash: c2334b613f35a709e6ab7a20ae631c67b2b13f01
             Stored hash : bb895528efeae96c6c4c935b263e496a20864b7f
             Current inode: 5850232    Stored inode: 5495349
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/bin/lwp-request
             Current inode: 5488990    Stored inode: 5491398
             Current file modification time: 1282937552 (27-Aug-2010 22:32:32)
             Stored file modification time : 1262883889 (07-Jan-2010 19:04:49)
    Warning: The file properties have changed:
             File: /sbin/ifdown
             Current hash: 8492aba75f302334dc9c558c0f58b09ab3040479
             Stored hash : 36cd231c396a15983d0afe23e4e33dbb2349102a
             Current inode: 3891229    Stored inode: 3891280
             Current file modification time: 1282025603 (17-Aug-2010 09:13:23)
             Stored file modification time : 1266649378 (20-Feb-2010 09:02:58)
    Warning: The file properties have changed:
             File: /sbin/ifup
             Current hash: 8492aba75f302334dc9c558c0f58b09ab3040479
             Stored hash : 36cd231c396a15983d0afe23e4e33dbb2349102a
             Current inode: 3891229    Stored inode: 3891280
             Current file modification time: 1282025603 (17-Aug-2010 09:13:23)
             Stored file modification time : 1266649378 (20-Feb-2010 09:02:58)
    Warning: The file properties have changed:
             File: /sbin/init
             Current hash: 968cbc98023d4bed9a52fd6f2aa519457fe0412b
             Stored hash : d6997dd8ca3d89f8038729a284fb2447c35a1448
             Current inode: 3891237    Stored inode: 3891256
             Current file modification time: 1281659208 (13-Aug-2010 03:26:48)
             Stored file modification time : 1270150546 (01-Apr-2010 22:35:46)
    Warning: The file properties have changed:
             File: /sbin/runlevel
             Current hash: 028c8437b6cd831baf318e2acc5a8db8fb83c5f8
             Stored hash : 550b372a8615ea7d455105d2244f2cf8345f43b2
             Current inode: 3891283    Stored inode: 3891310
             Current file modification time: 1281659208 (13-Aug-2010 03:26:48)
             Stored file modification time : 1270150546 (01-Apr-2010 22:35:46)
    Warning: The file properties have changed:
             File: /usr/sbin/chroot
             Current hash: 01f757a4225821face374208e7baa283ae56e9aa
             Stored hash : 628f516c8f5a4bb0c816af24af980200dd0b937a
             Current inode: 5767182    Stored inode: 5495353
             Current file modification time: 1285094009 (21-Sep-2010 21:33:29)
             Stored file modification time : 1267759792 (05-Mar-2010 05:29:52)
    Warning: The file properties have changed:
             File: /usr/sbin/rsyslogd
             Current hash: ae3216d01c04f4da345589569bfaed37468868c5
             Stored hash : ecb3d75ebf81fbde157497fb036bded23ce49abb
             Current inode: 5488967    Stored inode: 5490750
             Current file modification time: 1292004118 (10-Dec-2010 20:01:58)
             Stored file modification time : 1267036087 (24-Feb-2010 20:28:07)
    Warning: Network TCP port 1524 is being used by /usr/sbin/portsentry. Possible rootkit: Possible FreeBSD (FBRK) Rootkit backdoor
             Use the 'lsof -i' or 'netstat -an' command to check this.
    Warning: Network TCP port 6667 is being used by /usr/sbin/portsentry. Possible rootkit: Possible rogue IRC bot
             Use the 'lsof -i' or 'netstat -an' command to check this.
    Warning: Network TCP port 31337 is being used by /usr/sbin/portsentry. Possible rootkit: Historical backdoor port
             Use the 'lsof -i' or 'netstat -an' command to check this.
    Warning: Changes found in the passwd file for user 'itex72_ftp':
    Warning: Changes found in the passwd file for user 'itex65_ftp':
    Warning: Changes found in the passwd file for user 'itex65_admin':
    Warning: Changes found in the passwd file for user 'itex65_info':
    Warning: Changes found in the passwd file for user 'itex72_ioncare':
    Warning: Changes found in the passwd file for user 'itex79_ftp':
    Warning: Changes found in the passwd file for user 'itex80_ftp':
    Warning: Changes found in the passwd file for user 'itex76_andrejae':
    Warning: Changes found in the passwd file for user 'itex76_noresin':
    Warning: Changes found in the passwd file for user 'itex76_ftp':
    Warning: Changes found in the passwd file for user 'itex69_ftp':
    Warning: Changes found in the passwd file for user 'itex69_info':
    Warning: Changes found in the passwd file for user 'itex68_ftp':
    Warning: Changes found in the passwd file for user 'itex68_info':
    Warning: Changes found in the passwd file for user 'itex83_ftp':
    Warning: Changes found in the passwd file for user 'itex88_ftp':
    Warning: Changes found in the passwd file for user 'itex88_mailer':
    Warning: Changes found in the passwd file for user 'itex88_info':
    Warning: Changes found in the passwd file for user 'itex49_ftp':
    Warning: Changes found in the passwd file for user 'itex49_office':
    Warning: Changes found in the passwd file for user 'itex94_ftp':
    Warning: Changes found in the passwd file for user 'itex75_ftp':
             The login shell has changed from '/bin/false' to '/dev/null'
    Warning: Changes found in the group file for group 'users':
    Warning: The SSH and rkhunter configuration options should be the same:
             SSH configuration option 'PermitRootLogin': yes
             Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
    Warning: Hidden directory found: /dev/.udev
    Warning: Hidden directory found: /dev/.initramfs
    
    
    
    How hacker can see my /var/www catalog list?
    My server have many clients, and many site have Joomla engine.

    Please help to solve this problem.
     
    Last edited: Dec 21, 2010
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Then you most likely have found the reason for the problem. Many hacks occour trough vulnerabilitys in unpatched joomla installations.

    Cleaning such a hacked server is not easy and you can not be 100% sure that you found everything that the hackers modified.

    My recommendataion is to do a backup of all websites and databases and then reinstall the system. Before you go live again, you should see if you can patch all joomla systems and you should consider to switch to suphp instead of mod_php. Also disabling functions in php can be used to harden a installation.

    This thread might be helpful for moving the ispconfig install to a new server:

    http://www.howtoforge.com/forums/showthread.php?t=2717
     
  3. Captain

    Captain Member

    Thank you Till for reply.
    But at this moment how I can to close access to my server for hacking?
    At this moment I can not power off server because I have 20 clients.
    I need some another decision.
    What you can to advise me Till?

    And as I understand anyone of my clients can install unpached Joomla and hack server?! How it can be. It is securety bug in ISPConfig or Ubuntu?

    P.S. And if I create backup of all files in this thread and reinstall serve who can garanted me that this files not modyfied by hacker.


    Thnk you.
     
    Last edited: Dec 21, 2010
  4. Captain

    Captain Member

    About hacking. One guy told me that problem in cgi pearl.
    How we can disable this funcion or close this bug in ispconfig?

    Thnks you.
     
    Last edited: Dec 22, 2010
  5. falko

    falko Super Moderator Howtoforge Staff

    How is this a security bug in ISPConfig or Ubuntu if someone installs an unpatched Joomla? This has nothing to do with ISPConfig and Ubuntu.
     
  6. Captain

    Captain Member

    Ok. If hacker have ftp access he can execute php or cgi pearl script and after that he have all access to all /var/www folders.
    How it can be?
    If you have ISPConfig2(Perfect server install) with final updates and ubuntu with final updates.

    P.S. ispconfig user have shell with /bin/false or with /dev/null
    And "ispconfigend" user - it is ispconfig user? I have this user.

    Thnks
     
    Last edited: Dec 22, 2010
  7. mini14

    mini14 Member

    Make sure your system is configured to use suphp for php and suexec for perl and the only damage he should be able to do is in his own account.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats both ok. The shell of the website users depend on the website settings, e.g. if FTP is enabled and the ispconfig and ispconfigend users are from the controlpanel server on port 81.

    Regarding your other question, see answer from mini14 and the ispconfig first steps guide. There are also quite a few hardening tutorials available which explain to selectively deactivate functions in php etc.

    You should also use the php safemode option from the website settings.
     
  9. Captain

    Captain Member

    Hello Till, thnks for reply.
    I have ISPConfig first step at first ISPConfig instalation. My server work 2-3 years. In ISPConfig Suexec is enable in Settings.
    But how I can migrate to suphp and how ISPConfig works with suphp? If I install suphp, another website will work ok?

    mini14: "the only damage he should be able to do is in his own account. "

    As I know www-data user was hacked. I think hacker download php or cgi script on ftp, and after that hi have access to all /var/www catalog and if file have chmod 777 hi can modify this file. Server was installed this Perfect server install, it is means that if you have instation by this tutorial, hacker can do this at any server with with tutorial.
     
    Last edited: Dec 23, 2010

Share This Page