#1  
Old 19th June 2009, 00:04
shajazzi shajazzi is offline
Senior Member
 
Join Date: Dec 2005
Posts: 125
Thanks: 2
Thanked 2 Times in 2 Posts
Unhappy Has my server benn hacked?

I received this email a few days ago

The logs attached at the bottom of this message show information about malicious code, hosted at your network, that has been used for *identity theft*. The URLs have been found in phishings/scams e-mails reported to CERT.br. These were online when we tested them (you can find more information about phishings/scams and identity theft at the end of this message). We would like to ask you to: * remove the malicious code from your site Also, please check if your machine has been compromised and is now being used by intruders in malicious activities, or if a legitimate user is engaged in activity that is probably in violation of your terms of service agreement. In either case, please investigate this matter. You received this message because you are listed as the contact for the networks below. This message is intended for the person responsible for computer security at your site. If this is not the correct address, please forward this message to the appropriate party. If more than one IP at your site is hosting malicious code or if we detect a new malware at your site, you will receive more than one message, each one with different contents. We would appreciate a reply that this note has been received. Thank you, -- CERT.br <cert@cert.br> http://www.cert.br/ ================================================== ==================== * What are phishings/scams? Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Source: Anti-Phishing Working Group. Phishings targetting CERT.br constituency usually lure the recipients to download malicious code from the URLs present in the spoofed e-mail. * Where can I find information about phishings/scams? - Anti-Phishing Working Group http://www.antiphishing.org/ - Bank Safe Online http://www.banksafeonline.org.uk/ * What is identity theft? Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes. Source: Federal Trade Comission. * Where can I find information about identity theft? - FTC's Identity Theft Site http://www.ftc.gov/bcp/edu/microsites/idtheft/ ################################################## ###################### # begin logs IP: 80.xxx.xxx.42 URL: http://xxxxxxx.com:81/multidoc/modul...computador.exe Tested on: 2009-06-14 07:51:38 GMT Kaspersky antivirus signature: Trojan-Banker.Win32.Banker.ajhg # end logs ################################################## ######################

and sure enough I located and deleted the file that I found in home/adminispconfig/web/multidoc/modulo/cadastrar_computador.exe

I ran rkhunter and chkrootkit and all was clear, I check the folder again today and cadastrar_computador.exe has returned also there is another file called loader.exe

Any Ideas please

shajazzi
Reply With Quote
Sponsored Links
  #2  
Old 19th June 2009, 08:16
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,045
Thanks: 826
Thanked 5,384 Times in 4,231 Posts
Default

Do you have rouncube installed on this server? Then you should remove it and install the latest roundcube package. There is a vulnerability in older roundcube versions that allows an attacker to upload files to your server.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 19th June 2009, 20:31
shajazzi shajazzi is offline
Senior Member
 
Join Date: Dec 2005
Posts: 125
Thanks: 2
Thanked 2 Times in 2 Posts
Default

Thanks till,
I know that there is some html issues in the latest versions of roundcude that I have tried, does anyone have an older and more stable version kicking around?

shajazzi
Reply With Quote
  #4  
Old 19th June 2009, 20:41
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,045
Thanks: 826
Thanked 5,384 Times in 4,231 Posts
 
Default

I'am not talking about any html issues. Older rouncube versions have a sever bug that allows others to take over your server and thats what might have happened with your server. You have to install the latest releases or remove rouncube at all if you dont want to open up your server for hackers.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User unknown in relay recipient table Taxick Installation/Configuration 12 9th April 2013 12:31
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 10:49
apache2 won't connect to localhost or 127.0.0.1 anw Server Operation 6 19th March 2009 18:51
postfix bounced email question daveb Server Operation 8 3rd February 2008 20:32
Webmail Relay Error palkat General 17 23rd April 2006 18:12


All times are GMT +2. The time now is 14:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.