hi I'm the webmaster of quetalvirtual.com , we have the dedicated 2 plan and since 6 months ago every was working fine, i was happy and could sleep peaceful, but since the last week my server started to fail and becomes unresponsible
I'm already open a support ticket that I'm going to put below
Please help me I'm thinking someone is trying to attack my server
I'm the webmaster of quetalvirtual. com and since the last week my server become unresponsive many times, the last Monday my server stop responding and i ask for help in the dedicated chat, one of your technicians find that somebody was uploading files to my /tmp directory , he found the scripts holyshit.c and holyshit.c.1, i made some research and found that this scripts are xploits, the technician change the permission to this scripts to 000 and the things start to work fine, but today i received a mail from cpanel to warning me about and overload of the CPU, i check the server status in WHM and found that CPU was at 17%
i log to ssh and i get the next message:
Message from syslogd@elhumildeservidor at Fri May 25 00:54:10 2007 ...
elhumildeservidor kernel: CPU1: Temperature above threshold
Message from syslogd@elhumildeservidor at Fri May 25 00:54:10 2007 ...
elhumildeservidor kernel: CPU1: Running in modulated clock mode
i check the process running and find this:
find /proc -mount -name stat* -exec cat {} ;
14471 nobody 0 2 0.1 find /proc -mount -name stat* -exec cat {} ;
12804 mailnull 0 2 0.3 /usr/sbin/exim -bd -q1h
12256 nobody 0 2 0.1 bash forkalot-test.sh
9570 nobody 0 2 0.1 bash forkalot-test.sh
11075 nobody 0 2 0.1 find /proc -mount -name stat* -exec cat {} ;
11973 nobody 0 2 0.1 find /proc -mount -name stat* -exec cat {} ;
14927 nobody 0 2 0.1 find /proc -mount -name stat* -exec cat {} ;
32043 nobody 0 1 0.1 bash forkalot-test.sh
22614 nobody 0 1 0.1 bash forkalot-test.sh
i check in WHM for the top CPU usage process and find this
User Domain %CPU %MEM Mysql Processes
nobody 15.82 1.90 0.0
Top Process %CPU 5.0 find /proc -mount -name stat* -exec cat {} ;
Top Process %CPU 4.0 find /proc -mount -name stat* -exec cat {} ;
Top Process %CPU 3.0 find /proc -mount -name stat* -exec cat {} ;
i made some research and find that this process are trigerred for a malicious script to overload the server with a race condition
here comes the most strange
when i was doing all this i check my tmp directory and found some strange files that i never seen before, this file were uploaded just a minutes before i check the directory:
k-rad3
k-rad3.c
i check the content of this files and it was another xploit and inside the content a line describes the website where the xploit was downloaded
http://milw0rm.com/i chmod 000 all the suspicious files in my tmp directory but i think someone installed a backdoor or something in my server and i cant stop it, please help me!!!!!
what we can do to stop this?
checking this forums i follow this tutorial
http://www.lunarforums.com/index.php/topic,30205.0.htmlbut what other thing i could do to be sure that my tmp directory is secure?
what other things i must check to make my server more secure?
please help me , i really will appreciate that
thank you and sorry for my English I'm Mexican and i learn English watching cartoons and movies
Dilber MC Theme by HarzeM