Was I hacked? Help please.

Discussion in 'General' started by gragus, Sep 27, 2011.

  1. gragus

    gragus New Member

    Hi All!

    It was recommended that I raise the issue here because the problem described below occurred on a server that runs ISPConfig 2.2.40.
    If this does not belong here, I apologise. I'd still appreciate any pointers or a hint where I should raise this question instead.

    I have recently discovered some very suspicious files on my box and I hope there is an expert who may be able to help.

    I assume you will want me to post logs or netstat output, but I am not sure what is most relevant, so I just wait until you ask. Here the most basic info:

    Server:

    • Ubuntu 10.04 LTS with ISPConfig 2.2.40
    • PHP downgraded to PHP 5.2.10-2ubuntu6.10 with Suhosin-Patch 0.9.7
      (in order to run a Drupal 5 site)

    Problem:
    I discovered some very weird files in /var/www/ :

    Code:
    drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 80384:d12a97d07a024www.paperin.org
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
    Note, www DOT paperin DOT org is a one of several small sites hosted on the box. It runs on Drupal 5.
    I do not know where these came from; I did not create them knowingly for sure.

    I deleted these files, but I am not sure how to proceed.

    In case that it is relevant, here is a deep listing of the suspicious directories.

    I really appreciate your help!

    Code:
    user@host: /var/www# ls -al

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   87 2011-09-23 00:30 web.log -> /var/www/13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log/2011/09/web.log

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log/2011/09/web.log

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log/2011/09/web.log

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./80384:d12a97d07a024www.paperin.org:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./80384:d12a97d07a024www.paperin.org/log:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011

./80384:d12a97d07a024www.paperin.org/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./80384:d12a97d07a024www.paperin.org/log/2011/09:
total 4
-rw-r--r-- 1 root root 167 2011-09-23 00:30 web.log

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log/2011/09/web.log

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log/2011/09/web.log

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log/2011/09/web.log

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

...other (expected) directories follow...
     
    gragus, Sep 27, 2011
    #1
  2. Mark_NL

    Mark_NL Member

    ah you came from linode.com ;)

    You might want to see if
    Code:
    ps flax
    I think you'll find something ..

    Worm.Palevo gives me multiple types of worms, one through IM, the other through MAIL. If you run Clamav on your server it should've picked it up when it got mailed to your server.

    You might want to run a full clamscan on your server.

    This has nothing to do with ispconfig2, i'd rather say it's the 'old' drupal you're running that got exploited.

    check

    http://www.1337day.com/ and http://www.exploit-db.com/ and search for drupal.
     
    Mark_NL, Sep 28, 2011
    #2

Share This Page