[CentOS] CleanLog.h

Fri Nov 30 16:04:19 UTC 2007
B.J. McClure <keepertoad at verizon.net>

On Fri, 2007-11-30 at 09:36 -0500, Evans F. Mitchell KD4EFM / AFA2TH /
WQFK-894 wrote:

> By any chances, have you ran 'ps ax' from root and looked
> to see what does not look like it should be there??

The box is already down and replaced by a backup.  Implemented some of your suggestions on it. 
Issue was unauthorized web site.I have bash_history logs for all the users created by hacker so 
I know commands run including starting httpd.  When I get back from an 11 day business trip I will 
set those drives on a slow as molasses test machine and see what I can figure out...for educational purposes.


B.J.


> IF you are willing, paste your 'ps' output for us to
> help you find the program that is running and sending out
> the emails.
> 
> also review your sendmail rule set.
> Next, to help lock down your server a little more
> make sure you have set a password on your VNC.
> I had and Italian 17 year old poking around one
> of my Amateur Radio boxes via VNC, simply cause I
> forgot to set a vnc password, so it was wide open
> like a windoz server box without a login screen,
> you know, the good old "I AM OPEN FOR YOUR PLEASURES..."
> 
> Also change your sshd, the port it is on, and do a rule
> set that only allows a specific ip to access it.
> I think I am correct saying you can do that as well with VNC.
> 
> The other option would be to stop the service all together
> IF your not needing it.
> 
> Good Luck.
> 
> Evans F. Mitchell KD4EFM/AFA2TH/WQFK-894
> 
>  
> 
> 
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
> Of Alfredo Perez
> Sent: Friday, November 30, 2007 7:40 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] CleanLog.h
> 
> On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote:
> > Sad to say one of my file servers was exploited and used to run a 
> > Phishing scam.  Have identified subject virus amongst other things.  
> > It appears twice in a virus scan; /sbin/z (which I assume can just be
> > deleted) and /sys/bus/serio/drivers/atkbd/description.  The latter 
> > file is also present in identical uninfected machines.  I have been 
> > unable to open the file, even with root privileges, although it 
> > appears to be a text file.  Any suggestions on how to proceed 
> > appreciated.  Guess I could delete it and copy over the file from an
> identical machine.
> > 
> > Thanks in advance,
> > B.J.
> > 
> > CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, 
> > load average: 0.07, 0.08, 0.04
> 
> Hi Can you tell me which virus scan you are using?
> 
> Thanks
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 09:57:33 up 1 day, 4:16, 1
user, load average: 0.05, 0.06, 0.04
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20071130/f40eeb3a/attachment-0005.html>