I received 168 of these e-mail while I was at work today: Subject: Cron <root@server> chown root:root /tmp/r00t && chmod 4755 /tmp/r00t && rm -rf /etc/cron.d/core && kill -USR1 13559 Body: chown: cannot access `/tmp/r00t': No such file or directory Any ideas?
I would say this does not look that good. You could take a look at you cronjobs, check your system with rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html) Do you have any possible insecure webapplication like any forum (vb, wbb, phpbb) or a "cms" like mambo etc. by that a attempt like this could be executed on your machine?
I have phpBB. I just got those e-mails for the first time today. I checked for the users logged in at the time of getting the e-mails and I was the only one logged in.
Code: Rootkit Hunter 1.2.9 is running Determining OS... Ready Checking binaries * Selftests Strings (command) [ OK ] * System tools Info: prelinked files found Performing 'known good' check... /bin/cat [ BAD ] /bin/chmod [ BAD ] /bin/chown [ BAD ] /bin/date [ BAD ] /bin/dmesg [ OK ] /bin/env [ BAD ] /bin/grep [ OK ] /bin/kill [ OK ] /bin/login [ OK ] /bin/ls [ BAD ] /bin/more [ OK ] /bin/mount [ OK ] /bin/netstat [ BAD ] /bin/ps [ BAD ] /bin/su [ BAD ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ BAD ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/lsmod [ OK ] /sbin/modinfo [ OK ] /sbin/modprobe [ OK ] /sbin/rmmod [ OK ] /sbin/runlevel [ OK ] /sbin/sulogin [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /usr/bin/chattr [ OK ] /usr/bin/du [ BAD ] /usr/bin/file [ OK ] /usr/bin/find [ BAD ] /usr/bin/head [ BAD ] /usr/bin/killall [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/md5sum [ BAD ] /usr/bin/passwd [ OK ] /usr/bin/pstree [ BAD ] /usr/bin/sha1sum [ BAD ] /usr/bin/stat [ BAD ] /usr/bin/top [ BAD ] /usr/bin/users [ BAD ] /usr/bin/vmstat [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/wc [ BAD ] /usr/bin/wget [ BAD ] /usr/bin/whereis [ OK ] /usr/bin/who [ BAD ] /usr/bin/whoami [ BAD ] -------------------------------------------------------------------------------- Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced binaries or updated packages (which give other hashes). Be sure your hashes are up-to-date (rkhunter --update). If you're in doubt about these hashes, contact us through the Rootkit Hunter mailinglist at [email protected]. -------------------------------------------------------------------------------- [Press <ENTER> to continue] Check rootkits * Default files and directories Rootkit '55808 Trojan - Variant A'... [ OK ] ADM Worm... [ OK ] Rootkit 'AjaKit'... [ OK ] Rootkit 'aPa Kit'... [ OK ] Rootkit 'Apache Worm'... [ OK ] Rootkit 'Ambient (ark) Rootkit'... [ OK ] Rootkit 'Balaur Rootkit'... [ OK ] Rootkit 'BeastKit'... [ OK ] Rootkit 'beX2'... [ OK ] Rootkit 'BOBKit'... [ OK ] Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ] Rootkit 'Danny-Boy's Abuse Kit'... [ OK ] Rootkit 'Devil RootKit'... [ OK ] Rootkit 'Dica'... [ OK ] Rootkit 'Dreams Rootkit'... [ OK ] Rootkit 'Duarawkz'... [ OK ] Rootkit 'Flea Linux Rootkit'... [ OK ] Rootkit 'FreeBSD Rootkit'... [ OK ] Rootkit 'mess`it Rootkit'... [ OK ] Rootkit 'GasKit'... [ OK ] Rootkit 'Heroin LKM'... [ OK ] Rootkit 'HjC Kit'... [ OK ] Rootkit 'ignoKit'... [ OK ] Rootkit 'ImperalsS-FBRK'... [ OK ] Rootkit 'Irix Rootkit'... [ OK ] Rootkit 'Kitko'... [ OK ] Rootkit 'Knark'... [ OK ] Rootkit 'Li0n Worm'... [ OK ] Rootkit 'Lockit / LJK2'... [ OK ] Rootkit 'MRK'... [ OK ] Rootkit 'Ni0 Rootkit'... [ OK ] Rootkit 'RootKit for SunOS / NSDAP'... [ OK ] Rootkit 'Optic Kit (Tux)'... [ OK ] Rootkit 'Oz Rootkit'... [ OK ] Rootkit 'Portacelo'... [ OK ] Rootkit 'R3dstorm Toolkit'... [ OK ] Rootkit 'RH-Sharpe's rootkit'... [ OK ] Rootkit 'RSHA's rootkit'... [ OK ] Sebek LKM... [ OK ] Rootkit 'Scalper Worm'... [ OK ] Rootkit 'Shutdown'... [ OK ] Rootkit 'SHV4'... [ Warning! ] -------------------------------------------------------------------------------- Found parts of this rootkit/trojan by checking the default files and directories Please inspect the available files, by running this check with the parameter --createlogfile and check the log file (current file: /dev/null). -------------------------------------------------------------------------------- [Press <ENTER> to continue] Rootkit 'SHV5'... [ Warning! ] -------------------------------------------------------------------------------- Found parts of this rootkit/trojan by checking the default files and directories Please inspect the available files, by running this check with the parameter --createlogfile and check the log file (current file: /dev/null). -------------------------------------------------------------------------------- [Press <ENTER> to continue]
Code: Rootkit 'Sin Rootkit'... [ OK ] Rootkit 'Slapper'... [ OK ] Rootkit 'Sneakin Rootkit'... [ OK ] Rootkit 'Suckit Rootkit'... [ OK ] Rootkit 'SunOS Rootkit'... [ OK ] Rootkit 'Superkit'... [ OK ] Rootkit 'TBD (Telnet BackDoor)'... [ OK ] Rootkit 'TeLeKiT'... [ OK ] Rootkit 'T0rn Rootkit'... [ OK ] Rootkit 'Trojanit Kit'... [ OK ] Rootkit 'Tuxtendo'... [ OK ] Rootkit 'URK'... [ OK ] Rootkit 'VcKit'... [ OK ] Rootkit 'Volc Rootkit'... [ OK ] Rootkit 'X-Org SunOS Rootkit'... [ OK ] Rootkit 'zaRwT.KiT Rootkit'... [ OK ] * Suspicious files and malware Scanning for known rootkit strings [ OK ] Scanning for known rootkit files [ OK ] Testing running processes... [ OK ] Miscellaneous Login backdoors [ OK ] Miscellaneous directories [ OK ] Software related files [ OK ] Sniffer logs [ OK ] [Press <ENTER> to continue] * Trojan specific characteristics shv4 Checking /etc/rc.d/rc.sysinit Test 1 [ Clean ] Test 2 [ Clean ] Test 3 [ Clean ] Checking /etc/inetd.conf [ Not found ] Checking /etc/xinetd.conf [ Clean ] * Suspicious file properties chmod properties Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] Script replacements Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] * OS dependant tests Linux Checking loaded kernel modules... [ OK ] Checking file attributes [ OK ] Checking LKM module path [ OK ] Networking * Check: frequently used backdoors Port 2001: Scalper Rootkit [ OK ] Port 2006: CB Rootkit [ OK ] Port 2128: MRK [ OK ] Port 14856: Optic Kit (Tux) [ OK ] Port 47107: T0rn Rootkit [ OK ] Port 60922: zaRwT.KiT [ OK ] * Interfaces Scanning for promiscuous interfaces... [ OK ] [Press <ENTER> to continue] System checks * Allround tests Checking hostname... Found. Hostname is server.vasceria.com Checking for passwordless user accounts... OK Checking for differences in user accounts... Found differences Info: ---------------------- > dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin > mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash > admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash > tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash < admin_fedex:x:10006:10005:Tristan Lee:/home/www/web5:/bin/bash < forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash < fdxsql:x:12015:12015::/home/fdxsql:/bin/bash < tristanlee85:x:10011:10008:Tristan Lee:/home/www/web8:/bin/bash < mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash < tebriel:x:10049:10003:Chris:/home/www/web3/user/tebriel:/bin/bash < dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin > forums:x:10025:10025:Tristan:/home/www/web25:/bin/bash ---------------------- Info: Some items have been added (items marked with '<') Info: Some items have been removed (items marked with '>') Checking for differences in user groups... Found differences Info: ---------------------- < users:x:100:sales,orders,phpbb,tebriel > users:x:100:sales,orders,phpbb > dovecot:x:97: > mysql:x:27: < fdxsql:x:12015: < mysql:x:27: < dovecot:x:97: ---------------------- Info: Some items have been added (items marked with '<') Info: Some items have been removed (items marked with '>') Checking boot.local/rc.local file... - /etc/rc.local [ OK ] - /etc/rc.d/rc.local [ OK ] - /usr/local/etc/rc.local [ Not found ] - /usr/local/etc/rc.d/rc.local [ Not found ] - /etc/conf.d/local.start [ Not found ] - /etc/init.d/boot.local [ Not found ] Checking rc.d files... Processing........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ .................................. Result rc.d files check [ OK ] Checking history files Bourne Shell [ OK ] * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /etc/.pwd.lock /dev/.udev --------------- Please inspect: /dev/.udev (directory) [Press <ENTER> to continue] Application advisories * Application scan Checking Apache2 modules ... [ Not found ] Checking Apache configuration ... [ OK ] * Application version scan - GnuPG 1.4.2.2 [ OK ] - Apache 2.2.2 [ Unknown ] - Bind DNS 9.3.2 [ OK ] - OpenSSL 0.9.8a [ OK ] - PHP 5.1.6 [ Unknown ] - Procmail MTA 3.22 [ OK ] - ProFTPd 1.3.0 [ Unknown ] - OpenSSH 4.3p2 [ Unknown ] Your system contains some unknown version numbers. Please run Rootkit Hunter with the --update parameter or contact us through the Rootkit Hunter mailinglist at [email protected]. Security advisories * Check: Groups and Accounts Searching for /etc/passwd... [ Found ] Checking users with UID '0' (root)... [ OK ] * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config Hint: See logfile for more information about this issue Checking for allowed protocols... [ OK (Only SSH2 allowed) ] * Check: Events and Logging Search for syslog configuration... [ OK ] Checking for running syslog slave... Unknown HZ value! (94) Assume 100. Internal error! [ OK ] Checking for logging to remote system... [ OK (no remote logging) ] [Press <ENTER> to continue] ---------------------------- Scan results ---------------------------- MD5 scan Scanned files: 51 Incorrect MD5 checksums: 23 File scan Scanned files: 342 Possible infected files: 2 Possible rootkits: SHV4 SHV5 Application scan Vulnerable applications: 0 Scanning took 418 seconds ----------------------------------------------------------------------- Do you have some problems, undetected rootkits, false positives, ideas or suggestions? Please e-mail us through the Rootkit Hunter mailinglist at [email protected]. -----------------------------------------------------------------------
This does not look good. You should rerun rkhunter with the --createlogfile as suggested in the output and check out in the logfile which rootkit files exactly had been found. Which linux distribution do you use?
I will re-run it and create a log file this time. I woke up to 609 of those same e-mails. I wonder why it says r00t instead of root? Also, I'm using FC5.
Also, I found these 2 TXT files in my /tmp/ directory. They look to me like worms of some sort. http://www.plastikracing.net/m3r.txt http://www.plastikracing.net/ojo.txt
After looking through the log, it looks like I've been "owned." Code: [root@server libsh]# ls -al total 104 drwxr-xr-x 6 root root 4096 Aug 16 22:00 . drwxr-xr-x 112 root root 69632 Aug 16 22:00 .. drwxr-xr-x 2 root root 4096 Aug 17 15:47 .backup -rwxr-xr-x 1 122 114 1206 Apr 18 2003 .bashrc drwxr-xr-x 2 root root 4096 Aug 16 22:00 .owned drwxr-xr-x 2 root root 4096 Aug 17 15:47 .sniff -rwxr-xr-x 1 122 114 2000 Aug 23 2006 hide drwxr-xr-x 2 tristan tristan 4096 Aug 17 15:47 utilz
If possible, you should reinstall the complete server or restore the complete server from a backup that was done before it got hacked. Otherwise you can never be 100% sure that your server is clean.
By reinstall you mean the OS, correct? As for backing up ISPConfig to transfer to a fresh OS installation, would I be best off to create a tarball of my admispconfig/ and www/ directories in the /home/ directory?
yes. Dont you ahve a backup from the time before the hack occured? It would be better to use that. If not, have a look at this thread: http://www.howtoforge.com/forums/showthread.php?t=2717&highlight=move+ispconfig You will need a backup of /home/ /var/ /root/ispconfig and /etc because you will need the passd, sahdow and group file. And this is the biggets problem as your passwords might be compromised. Also if you put your websies back online without finding the security hole that the hacker had used, you might get hacked again very fast. So if possible, you start either with a fresh installation of ISPConfig and recreate the accounts and move just the conetnt of the websites and databases or use the data from a backup thatw as made before the hack.
As for the backup, do I use the backup tool from the Management tab or from the Tools tab? Will one of those back up allow me to restore EVERYTHING once I reinstall the OS, re-install a clean version of ISPConfig, and then restore the backup and have everything there?
You can not use the ISPConfig backup tools to make a full backup. Please have a look at the link to the thread I posted above.
hey just a few answers.. r00t is his g-mail name its like db.r00t something .. in a nutshell it happened because you allowed upload or attachments or avatar uploads in your phpbb.. ahh ya say.. I know I just cleaned it all out.. check your modules/forums/cache/ folder.. you will see all sorts of goodies in there.. attach_config.php.. thats it.. thats the only thing thats suspose to be in there all of the other stuff you see delete.. including those folders.. do not go by the creation date.. if you read one of the net.php folders you can take apart what happened.. just read anong.. you were attacked by a script kiddy anyway you will have to do all that in your winscp editor .. then check all your 777 file folders.. for files called.. oh anything really mostly .. version or r00t those will be locked .. then file names in the 777 folders like includes.php errors.php net.php hope that helps
I would like to ask something related to this... In the past, running a Slackware server without ISPConfig, it happened to my server to be compromised, because a user was running a CMS (Mambo I think). With the perfect server setup, and running all sites with PHP safe mode enabled, am I supposed to be secure from such threats? I am asking this because you can never know exactly if a client has upgraded its CMS or forum to the latest version...
Yes but I'm not talking about me but for my clients. I cannot always look at what they install from time to time, that's why I ask if by using an updated system along with PHP's safe mode can give you enough protection against exploits.
SafeMode should do the job but I'd rather use suPHP. suPHP will make apache (and PHP) run as that exact system user and damage should then be limited to that user's account and files.
