Help - Search - Members - Calendar
Full Version: has the server been hacked?
The Planet Forums > Operating Systems > Red Hat Linux
ramazan66
Apr 6 2007, 02:28 PM
Every few seconds I receive the following mail in the root mailbox, anybody have an idea? Have I been hacked? A few days ago one of the sites on this server was "hacked" / defaced.


From root@webmail.mydomain.com Fri Apr 6 15:24:02 2007
X-ClientAddr: 127.0.0.1
Date: Fri, 6 Apr 2007 15:24:01 -0500
From: root@webmail.mydomain.com (Cron Daemon)
To: root@webmail.mydomain.com
Subject: Cron <root@webmail> chown root:root /var/tmp/x && chmod 4755 /var/tmp/x && rm -rf /etc/cron.d/core && kill -USR1 26591
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

/bin/sh: line 0: kill: (26591) - No such process
Quiddity
Apr 7 2007, 09:45 AM
ramazan66,

Unfortunately the fact that this is being executed from the root crontab would indicate that root privileges were attained in this compromise. You should have someone tend to this immediately, to prevent any further compromise/defacement from occurring.

Steve
xerophyte
Apr 9 2007, 05:57 AM
If you didn't place that cron script or cron command in your server, seems like your server has been hacked and someone trying to run a script using cron

you have to fully check the site and take security measures to secure the server..

hope that helps
James Jhurani
Apr 9 2007, 10:27 PM
Unfortunately that is a local kernel exploit being used to gain root privileges. After you restore the server, you may want to make sure you are running a newer kernel to prevent a non root compromise from turning into a full fledged root level compromise(at least from local kernel exploits).
ramazan66
Apr 11 2007, 02:35 PM
running chkrootkit (chkrootkit-0.47 ) does not come up with any problems, how for is this to be trusted?
klaude
Apr 11 2007, 09:05 PM
Chkrootkit passing means that your system either doesn't have any of the rootkits that chkrootkit is designed to find or that your compromised files are properly hiding themselves from chkrootkit. The email you've got from cronf seems pretty serious, and you shoulld treat your system as compromised. Remember that this means all data on your server should be treated as suspect. It's best to do an OS reload without drive preservation and to restore from your last known good backups. When your system is back up performn a user audit and make sure that one of your hosted scripts or files are exploiting your server.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.