By any chances, have you ran 'ps ax' from root and looked to see what does not look like it should be there??
IF you are willing, paste your 'ps' output for us to help you find the program that is running and sending out the emails.
also review your sendmail rule set. Next, to help lock down your server a little more make sure you have set a password on your VNC. I had and Italian 17 year old poking around one of my Amateur Radio boxes via VNC, simply cause I forgot to set a vnc password, so it was wide open like a windoz server box without a login screen, you know, the good old "I AM OPEN FOR YOUR PLEASURES..."
Also change your sshd, the port it is on, and do a rule set that only allows a specific ip to access it. I think I am correct saying you can do that as well with VNC.
The other option would be to stop the service all together IF your not needing it.
Good Luck.
Evans F. Mitchell KD4EFM/AFA2TH/WQFK-894
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Alfredo Perez Sent: Friday, November 30, 2007 7:40 AM To: CentOS mailing list Subject: Re: [CentOS] CleanLog.h
On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote:
Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an
identical machine.
Thanks in advance, B.J.
CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, load average: 0.07, 0.08, 0.04
Hi Can you tell me which virus scan you are using?
Thanks
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 2007-11-30 at 09:36 -0500, Evans F. Mitchell KD4EFM / AFA2TH / WQFK-894 wrote:
By any chances, have you ran 'ps ax' from root and looked to see what does not look like it should be there??
The box is already down and replaced by a backup. Implemented some of your suggestions on it. Issue was unauthorized web site.I have bash_history logs for all the users created by hacker so I know commands run including starting httpd. When I get back from an 11 day business trip I will set those drives on a slow as molasses test machine and see what I can figure out...for educational purposes.
B.J.
IF you are willing, paste your 'ps' output for us to help you find the program that is running and sending out the emails.
also review your sendmail rule set. Next, to help lock down your server a little more make sure you have set a password on your VNC. I had and Italian 17 year old poking around one of my Amateur Radio boxes via VNC, simply cause I forgot to set a vnc password, so it was wide open like a windoz server box without a login screen, you know, the good old "I AM OPEN FOR YOUR PLEASURES..."
Also change your sshd, the port it is on, and do a rule set that only allows a specific ip to access it. I think I am correct saying you can do that as well with VNC.
The other option would be to stop the service all together IF your not needing it.
Good Luck.
Evans F. Mitchell KD4EFM/AFA2TH/WQFK-894
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Alfredo Perez Sent: Friday, November 30, 2007 7:40 AM To: CentOS mailing list Subject: Re: [CentOS] CleanLog.h
On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote:
Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an
identical machine.
Thanks in advance, B.J.
CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, load average: 0.07, 0.08, 0.04
Hi Can you tell me which virus scan you are using?
Thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 09:57:33 up 1 day, 4:16, 1 user, load average: 0.05, 0.06, 0.04
On Fri, Nov 30, 2007 at 10:04:19AM -0600, B.J. McClure wrote:
On Fri, 2007-11-30 at 09:36 -0500, Evans F. Mitchell KD4EFM / AFA2TH / WQFK-894 wrote:
By any chances, have you ran 'ps ax' from root and looked to see what does not look like it should be there??
The box is already down and replaced by a backup. Implemented some of your suggestions on it. Issue was unauthorized web site.I have bash_history logs for all the users created by hacker so I know commands run including starting httpd. When I get back from an 11 day business trip I will set those drives on a slow as molasses test machine and see what I can figure out...for educational purposes.
B.J.
IF you are willing, paste your 'ps' output for us to help you find the program that is running and sending out the emails.
also review your sendmail rule set. Next, to help lock down your server a little more make sure you have set a password on your VNC. I had and Italian 17 year old poking around one of my Amateur Radio boxes via VNC, simply cause I forgot to set a vnc password, so it was wide open like a windoz server box without a login screen, you know, the good old "I AM OPEN FOR YOUR PLEASURES..."
Also change your sshd, the port it is on, and do a rule set that only allows a specific ip to access it. I think I am correct saying you can do that as well with VNC.
The other option would be to stop the service all together IF your not needing it.
Good Luck.
Evans F. Mitchell KD4EFM/AFA2TH/WQFK-894
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Alfredo Perez Sent: Friday, November 30, 2007 7:40 AM To: CentOS mailing list Subject: Re: [CentOS] CleanLog.h
On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote:
Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an
identical machine.
Thanks in advance, B.J.
CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, load average: 0.07, 0.08, 0.04
Hi Can you tell me which virus scan you are using?
Thanks
Can you share your findings with us?
Furthermore, this question is for the list
I have a Centos 5 server running sshd for me to signon and check my emails.
I use denyhosts to protect port 22.
Is there anyother software you people use to protect your servers.
Thanks in advance
Alfredo - The sauce
On 30/11/2007, Evans F. Mitchell KD4EFM / AFA2TH / WQFK-894 kd4efm@kd4efm.org wrote:
By any chances, have you ran 'ps ax' from root and looked to see what does not look like it should be there??
IF you are willing, paste your 'ps' output for us to help you find the program that is running and sending out the emails.
also review your sendmail rule set. Next, to help lock down your server a little more make sure you have set a password on your VNC.
Tunnel your VNC over SSH (or SSL?). See http://en.wikipedia.org/wiki/Virtual_Network_Computing#Security about how insecure is the VNC protocol.
I had and Italian 17 year old poking around one of my Amateur Radio boxes via VNC, simply cause I forgot to set a vnc password, so it was wide open like a windoz server box without a login screen, you know, the good old "I AM OPEN FOR YOUR PLEASURES..."
Also change your sshd, the port it is on, and do a rule set that only allows a specific ip to access it.
That's a good advise. I have yet to see my non-standard sshd server scanned since I changed it over 3-4 years ago. Same with a private http server.
I think I am correct saying you can do that as well with VNC.
See above - the VNC protocol is not secure on its own, but you can tunnel it over secure protocols.
The other option would be to stop the service all together IF your not needing it.
Of course. That's up in the top ten commandments - stop any service (and remove any package, I would add) that you don't need on the server.
--Amos
-
Alfredo Perez -
Amos Shapira -
B.J. McClure -
Evans F. Mitchell KD4EFM / AFA2TH / WQFK-894