Chris Kenward
asked on
Just Been Hacked! Mironov Backdoor on Linux 2.4.x - proftpd exploit - How do I .... See below
Hi - well if you've read the header you'll know I've had one of our Linux servers hacked by someone called "Mironov" and it's possibly due to the exploit in PROFTPD. There are files in the /tmp folder... one called 'miro' (executable) and a new directory containing some stuff. Has anyone had this attack before and if so is there a way to easily clean it up and patch the PROFTPD package to get it sorted?
This particular server has more than 200 websites on it, so I'm quite desperate to clean it rather than having to rebuild it.
Can anyone help with this please?
Mucho appreciated - looking forward to your answers.
Chris
This particular server has more than 200 websites on it, so I'm quite desperate to clean it rather than having to rebuild it.
Can anyone help with this please?
Mucho appreciated - looking forward to your answers.
Chris
ASKER
Done that. Found that the system was listening on 8859 and discovered it was setup by Mironov to listen on that address. Whether it was sending or receiving, or how he gets into the box, is something I do not know.
I have so far:
1. Updated ProFTPd to the latest version.
2. Rebooted the box into single user mode and changed the root password
3. Removed the file 'miro' from the /tmp directory
4. Deleted a directory called .orbit* and all its sub folders
Not sure what else he would have infected. So far it looks OK and nothing has come back looking as though he has managed to once again get onto the box, so fingers crossed.
So - anyone know of this hack and definitively how to get rid of it?
Regards
Chris
I have so far:
1. Updated ProFTPd to the latest version.
2. Rebooted the box into single user mode and changed the root password
3. Removed the file 'miro' from the /tmp directory
4. Deleted a directory called .orbit* and all its sub folders
Not sure what else he would have infected. So far it looks OK and nothing has come back looking as though he has managed to once again get onto the box, so fingers crossed.
So - anyone know of this hack and definitively how to get rid of it?
Regards
Chris
did you check with netstat -pan which process was listening?
use find to find the files your removed all over your disks
> .. or how he gets into the box, ..
are you secured with a proper firewall? Then it most likely came in through a vulnerable web application.
use find to find the files your removed all over your disks
> .. or how he gets into the box, ..
are you secured with a proper firewall? Then it most likely came in through a vulnerable web application.
ASKER
Hi ahoffmann
No - he used a hole in proftpd to get into the server. Then set himself up as root, changed the root password, then put these files on the computer. Yes - as I said, the computer was listening on port 8859 which was HIS port.
Regards
Chris
No - he used a hole in proftpd to get into the server. Then set himself up as root, changed the root password, then put these files on the computer. Yes - as I said, the computer was listening on port 8859 which was HIS port.
Regards
Chris
ASKER
Sorry - YES - the whole server is protected by a firewall, but because the customers need access via FTP this was the problem
oops, you said that proftp was the hole.
noone needs ftp, except attackers to gain access ;-)
noone needs ftp, except attackers to gain access ;-)
ASKER
Problem is that on our servers we do not use control panel access for customers to update their websites so we allow FTP to the server from anywhere. Are you suggesting there is another way?
Regards
Chris
Regards
Chris
ssh/scp
ASKER
SCP? Don't know what this is?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
good point jlevie
an "copy-only" solution is already there:
http://www.pizzashack.org/rssh/
http://sublimation.org/scponly/
an "copy-only" solution is already there:
http://www.pizzashack.org/rssh/
http://sublimation.org/scponly/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
FTP is obsolete in current networks. Replace it with ssh/scp.
Said this we can focus on the backdoor.
Check with
netstat -an
which ports are open (LISTEN), then with
netstat -pan
which process has it open (for those which are not usual, like httpd)