Web Hosting Forum | Lunarpages
News: July 14, 2008 - New Contest! - Submit Your WordPress Theme Designs, Win BIG!
June 30, 2008 - Submit Your Site for the July 08 Site of the Month Award!
 
Home Help Search Calendar Login Register
*
Welcome, Guest. Please login or register.
Did you miss your activation email? 		July 26, 2008, 06:10:24 AM


Login with username, password and session length


Web Hosting Forum | Lunarpages > Lunarpages Web Hosting - Advanced Assistance > Lunarpages - Dedicated Web Hosting > Lunarpages - Security > xploits uploaded to my tmp directory
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: xploits uploaded to my tmp directory  (Read 1268 times)
kavastudios
Space Explorer
***
Offline Offline

Posts: 8
« on: May 25, 2007, 12:34:57 AM »
hi I'm the webmaster of quetalvirtual.com , we have the dedicated 2 plan and since 6 months ago every was working fine, i was happy and could sleep peaceful, but since the last week my server started to fail and becomes unresponsible

I'm already open a support ticket that I'm going to put below

Quote
Please help me I'm thinking  someone is trying to attack my server

I'm the webmaster of quetalvirtual. com and since the last week my server become unresponsive many times, the last Monday my server stop responding and i ask for help in the dedicated chat, one of your technicians find that somebody was uploading files to my /tmp directory , he found the scripts holyshit.c and holyshit.c.1, i made some research and found that this scripts are xploits, the technician change the permission to this scripts to 000 and the things start to work fine, but today i received a mail from cpanel to warning me about and overload of the CPU, i check the server status in WHM and found that CPU was at 17%

i log to ssh and i get the next message:

 Message from syslogd@elhumildeservidor at Fri May 25 00:54:10 2007 ...
elhumildeservidor kernel: CPU1: Temperature above threshold

Message from syslogd@elhumildeservidor at Fri May 25 00:54:10 2007 ...
elhumildeservidor kernel: CPU1: Running in modulated clock mode

i check the process running and find this:
find /proc -mount -name stat* -exec cat {} ;
14471    nobody    0    2   0.1    find /proc -mount -name stat* -exec cat {} ;
12804    mailnull    0    2   0.3    /usr/sbin/exim -bd -q1h
12256    nobody    0    2   0.1    bash forkalot-test.sh
9570    nobody    0    2   0.1    bash forkalot-test.sh
11075    nobody    0    2   0.1    find /proc -mount -name stat* -exec cat {} ;
11973    nobody    0    2   0.1    find /proc -mount -name stat* -exec cat {} ;
14927    nobody    0    2   0.1    find /proc -mount -name stat* -exec cat {} ;
32043    nobody    0    1   0.1    bash forkalot-test.sh
22614    nobody    0    1   0.1    bash forkalot-test.sh

i check in WHM for the top CPU usage process and find this


User   Domain   %CPU   %MEM   Mysql Processes
nobody      15.82   1.90   0.0
Top Process   %CPU 5.0   find /proc -mount -name stat* -exec cat {} ;
Top Process   %CPU 4.0   find /proc -mount -name stat* -exec cat {} ;
Top Process   %CPU 3.0   find /proc -mount -name stat* -exec cat {} ;

i made some research and find that this process are trigerred for a malicious script to overload the server with a race condition

here comes the most strange
when i was doing all this i check my tmp directory and found some strange files that i never seen before, this file were uploaded just a minutes before i check the directory:
k-rad3
k-rad3.c

i check the content of this files and it was another xploit and inside the content a line describes the website where the xploit was downloaded  http://milw0rm.com/

i chmod 000 all the suspicious files in my tmp directory but i think someone installed a backdoor or something in my server and i cant stop it, please help me!!!!!
what we can do to stop this?

checking this forums i follow this tutorial http://www.lunarforums.com/index.php/topic,30205.0.html

but what other thing i could do to be sure that my tmp directory is secure?
what other things i must check to make my server more secure?

please help me , i really will appreciate that
thank you and sorry for my English I'm Mexican and i learn English watching cartoons and movies  Roll
Logged
perestrelka
Administrator
Jedi
*****
Offline Offline

Posts: 985
« Reply #1 on: May 25, 2007, 02:58:08 AM »
Hello,

Since exploited processes were running under nobody user, more than likely that one of your web scripts got exploited because Apache uses user nobody to execute PHP scripts in default setup. It appears that you are running cPanel and it secures the /tmp partition as much as it's possible during install.

What I would recommend to do in such situation is:

- change all account passwords
- check all your sites for any files you didn't upload
- remove all scripts you don't use and ensure that the ones that stay are up to date.

It is recommended to do the last thing on regular basis because security holes get found frequently in web applications.

I hope this helps.
Logged
Kind Regards,
Vlad Artamonov
perestrelka
Administrator
Jedi
*****
Offline Offline

Posts: 985
« Reply #2 on: May 25, 2007, 03:02:32 AM »

Just to add. Messages like "kernel: CPU1: Temperature above threshold" can mean that the CPU is overheated. Please ask sysadmins to check it.
Logged
Kind Regards,
Vlad Artamonov
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.3 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM