Has my server benn hacked?

Discussion in 'Installation/Configuration' started by shajazzi, Jun 19, 2009.

  1. shajazzi

    shajazzi Member

    I received this email a few days ago

    The logs attached at the bottom of this message show information about malicious code, hosted at your network, that has been used for *identity theft*. The URLs have been found in phishings/scams e-mails reported to CERT.br. These were online when we tested them (you can find more information about phishings/scams and identity theft at the end of this message). We would like to ask you to: * remove the malicious code from your site Also, please check if your machine has been compromised and is now being used by intruders in malicious activities, or if a legitimate user is engaged in activity that is probably in violation of your terms of service agreement. In either case, please investigate this matter. You received this message because you are listed as the contact for the networks below. This message is intended for the person responsible for computer security at your site. If this is not the correct address, please forward this message to the appropriate party. If more than one IP at your site is hosting malicious code or if we detect a new malware at your site, you will receive more than one message, each one with different contents. We would appreciate a reply that this note has been received. Thank you, -- CERT.br <cert@cert.br> http://www.cert.br/ ====================================================================== * What are phishings/scams? Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Source: Anti-Phishing Working Group. Phishings targetting CERT.br constituency usually lure the recipients to download malicious code from the URLs present in the spoofed e-mail. * Where can I find information about phishings/scams? - Anti-Phishing Working Group http://www.antiphishing.org/ - Bank Safe Online http://www.banksafeonline.org.uk/ * What is identity theft? Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes. Source: Federal Trade Comission. * Where can I find information about identity theft? - FTC's Identity Theft Site http://www.ftc.gov/bcp/edu/microsites/idtheft/ ######################################################################## # begin logs IP: 80.xxx.xxx.42 URL: http://xxxxxxx.com:81/multidoc/modulo/cadastrar_computador.exe Tested on: 2009-06-14 07:51:38 GMT Kaspersky antivirus signature: Trojan-Banker.Win32.Banker.ajhg # end logs ########################################################################

    and sure enough I located and deleted the file that I found in home/adminispconfig/web/multidoc/modulo/cadastrar_computador.exe

    I ran rkhunter and chkrootkit and all was clear, I check the folder again today and cadastrar_computador.exe has returned also there is another file called loader.exe

    Any Ideas please

    shajazzi :confused:
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have rouncube installed on this server? Then you should remove it and install the latest roundcube package. There is a vulnerability in older roundcube versions that allows an attacker to upload files to your server.
     
  3. shajazzi

    shajazzi Member

    Thanks till,
    I know that there is some html issues in the latest versions of roundcude that I have tried, does anyone have an older and more stable version kicking around?

    shajazzi
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I'am not talking about any html issues. Older rouncube versions have a sever bug that allows others to take over your server and thats what might have happened with your server. You have to install the latest releases or remove rouncube at all if you dont want to open up your server for hackers.
     

Share This Page