Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th September 2011, 00:50
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default Was I hacked? Help please.

Hi All!

It was recommended that I raise the issue here because the problem described below occurred on a server that runs ISPConfig 2.2.40.
If this does not belong here, I apologise. I'd still appreciate any pointers or a hint where I should raise this question instead.


I have recently discovered some very suspicious files on my box and I hope there is an expert who may be able to help.

I assume you will want me to post logs or netstat output, but I am not sure what is most relevant, so I just wait until you ask. Here the most basic info:

Server:
  • Ubuntu 10.04 LTS with ISPConfig 2.2.40
  • PHP downgraded to PHP 5.2.10-2ubuntu6.10 with Suhosin-Patch 0.9.7
    (in order to run a Drupal 5 site)

Problem:
I discovered some very weird files in /var/www/ :

Code:
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 80384:d12a97d07a024www.paperin.org
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
drwxr-xr-x  3 root        root  4096 2011-09-23 00:30 95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
Note, www DOT paperin DOT org is a one of several small sites hosted on the box. It runs on Drupal 5.
I do not know where these came from; I did not create them knowingly for sure.

I deleted these files, but I am not sure how to proceed.

In case that it is relevant, here is a deep listing of the suspicious directories.

I really appreciate your help!

Code:
user@host: /var/www# ls -al

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   87 2011-09-23 00:30 web.log -> /var/www/13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log/2011/09/web.log

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./13441:2e4ad885f14b898d2d97464014ee88ff:Trojan.Vundo-32951
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log/2011/09/web.log

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./64000:909caa0397babc8dbaec55bb804b268d:Worm.Palevo-15930
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log/2011/09/web.log

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./66560:eae82f3da7fbf68c7d9a21478b29db1f:Worm.Palevo-15927
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./80384:d12a97d07a024www.paperin.org:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./80384:d12a97d07a024www.paperin.org/log:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011

./80384:d12a97d07a024www.paperin.org/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./80384:d12a97d07a024www.paperin.org/log/2011/09:
total 4
-rw-r--r-- 1 root root 167 2011-09-23 00:30 web.log

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log/2011/09/web.log

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./86016:1a39b0adeb471b8d5be710b10c8fc4ee:Worm.Palevo-15928
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log/2011/09/web.log

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./93696:6957c2d714de628defa50c4eb6364e48:Worm.Palevo-15931
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
:
total 4
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 log

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log:
total 8
drwxr-xr-x 3 root root 4096 2011-09-23 00:30 2011
lrwxrwxrwx 1 root root   86 2011-09-23 00:30 web.log -> /var/www/95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log/2011/09/web.log

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log/2011:
total 4
drwxr-xr-x 2 root root 4096 2011-09-23 00:30 09

./95744:9db0c0862577fd8db9ef1d2cd2cd45a5:Worm.Palevo-15929
/log/2011/09:
total 0
-rw-r--r-- 1 root root 0 2011-09-23 00:30 web.log

...other (expected) directories follow...
Reply With Quote
Sponsored Links
  #2  
Old 28th September 2011, 10:15
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
 
Default

ah you came from linode.com

You might want to see if
Code:
ps flax
I think you'll find something ..

Worm.Palevo gives me multiple types of worms, one through IM, the other through MAIL. If you run Clamav on your server it should've picked it up when it got mailed to your server.

You might want to run a full clamscan on your server.

This has nothing to do with ispconfig2, i'd rather say it's the 'old' drupal you're running that got exploited.

check

http://www.1337day.com/ and http://www.exploit-db.com/ and search for drupal.
__________________
Real men don't backup... Real men cry!

http://www.e-rave.nl/
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hELP WITH HACKED WEBSITE PLS spytron Server Operation 1 12th October 2009 17:29
My ISPConfig got hacked nsansari General 1 7th September 2009 14:01
Urgent need help my server is hacked !!!! zinovsky Server Operation 3 5th February 2009 18:23
Have I Been Hacked? :-o PierreQuebec Server Operation 11 8th April 2008 10:24
hacked by By BeLa & BodyguarD shajazzi HOWTO-Related Questions 2 26th April 2007 00:49


All times are GMT +2. The time now is 18:10.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.