alfredoj69 at rogers.com
Fri Nov 30 17:22:25 UTC 2007
On Fri, Nov 30, 2007 at 10:04:19AM -0600, B.J. McClure wrote:
> On Fri, 2007-11-30 at 09:36 -0500, Evans F. Mitchell KD4EFM / AFA2TH /
> WQFK-894 wrote:
> > By any chances, have you ran 'ps ax' from root and looked
> > to see what does not look like it should be there??
> The box is already down and replaced by a backup. Implemented some of your suggestions on it.
> Issue was unauthorized web site.I have bash_history logs for all the users created by hacker so
> I know commands run including starting httpd. When I get back from an 11 day business trip I will
> set those drives on a slow as molasses test machine and see what I can figure out...for educational purposes.
> > IF you are willing, paste your 'ps' output for us to
> > help you find the program that is running and sending out
> > the emails.
> > also review your sendmail rule set.
> > Next, to help lock down your server a little more
> > make sure you have set a password on your VNC.
> > I had and Italian 17 year old poking around one
> > of my Amateur Radio boxes via VNC, simply cause I
> > forgot to set a vnc password, so it was wide open
> > like a windoz server box without a login screen,
> > you know, the good old "I AM OPEN FOR YOUR PLEASURES..."
> > Also change your sshd, the port it is on, and do a rule
> > set that only allows a specific ip to access it.
> > I think I am correct saying you can do that as well with VNC.
> > The other option would be to stop the service all together
> > IF your not needing it.
> > Good Luck.
> > Evans F. Mitchell KD4EFM/AFA2TH/WQFK-894
> > -----Original Message-----
> > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
> > Of Alfredo Perez
> > Sent: Friday, November 30, 2007 7:40 AM
> > To: CentOS mailing list
> > Subject: Re: [CentOS] CleanLog.h
> > On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote:
> > > Sad to say one of my file servers was exploited and used to run a
> > > Phishing scam. Have identified subject virus amongst other things.
> > > It appears twice in a virus scan; /sbin/z (which I assume can just be
> > > deleted) and /sys/bus/serio/drivers/atkbd/description. The latter
> > > file is also present in identical uninfected machines. I have been
> > > unable to open the file, even with root privileges, although it
> > > appears to be a text file. Any suggestions on how to proceed
> > > appreciated. Guess I could delete it and copy over the file from an
> > identical machine.
> > >
> > > Thanks in advance,
> > > B.J.
> > >
> > > CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user,
> > > load average: 0.07, 0.08, 0.04
> > Hi Can you tell me which virus scan you are using?
> > Thanks
Can you share your findings with us?
Furthermore, this question is for the list
I have a Centos 5 server running sshd
for me to signon and check my emails.
I use denyhosts to protect port 22.
Is there anyother software you people use
to protect your servers.
Thanks in advance
Alfredo - The sauce
More information about the CentOS