Wallym
asked on
How to stop Malicious outbound attack from dedicated server
We have a dedicated server which seems to be hacked. Here is what the techs from the company where we host the server are saying:
We have received reports of malicious outbound traffic originating from your server. This indicates possible server compromise. You will need to audit your system to ensure all scripts are currently updated to the most current version.
high
168.9% of 50.0 kpps 41.12 Mbps
119.48 kpps 0:20
(Ongoing) Tue, Nov 24 2009, 08:37:15
Total 08:37:15
Total Traffic
(Misuse) RIPE
89.13. 230.151/32
------
Dear customer,
At current it does not look like your server has been root comprised by a base scan from rkhunter. All results have been written to the logfile (/var/log/rkhunter.log)
It does look like there are several files in the /tmp file that look to have possibly been unload through a vulnerability in one of your programs. You will need to audit your sites and program setup to further diagnose these issues and prevent this type of issue.
---------
What I need is to know what script to use or what to do so this can be stopped and doesnt happen again. Please provide all steps on how to stop this.
The host company can shut down the server if we dont get it resolved soon.
Thanks,
Wally
We have received reports of malicious outbound traffic originating from your server. This indicates possible server compromise. You will need to audit your system to ensure all scripts are currently updated to the most current version.
high
168.9% of 50.0 kpps 41.12 Mbps
119.48 kpps 0:20
(Ongoing) Tue, Nov 24 2009, 08:37:15
Total 08:37:15
Total Traffic
(Misuse) RIPE
89.13. 230.151/32
------
Dear customer,
At current it does not look like your server has been root comprised by a base scan from rkhunter. All results have been written to the logfile (/var/log/rkhunter.log)
It does look like there are several files in the /tmp file that look to have possibly been unload through a vulnerability in one of your programs. You will need to audit your sites and program setup to further diagnose these issues and prevent this type of issue.
---------
What I need is to know what script to use or what to do so this can be stopped and doesnt happen again. Please provide all steps on how to stop this.
The host company can shut down the server if we dont get it resolved soon.
Thanks,
Wally
Can you get the list of files in /tmp ?
ASKER
It doesnt look like much, but this is what is in there:
Owner: xfs
/tmp/.font-unix/
Rights: rwxrwxrwt
Inside File: fs7100
File size: 0
Owner: root
/tmp/.ICE-unix/
Rights: rwxrwxrwt
Inside File: (empty)
Owner: root
/tmp/ce/
Rights: rwxrwx--x
Inside File: adodb_ce1cd942945d5043f890 00f99ceadb b2.cache
File size: 32,305
(this file is attached)
Let me know if you have any more questions.
Thanks,
Wally
ce.zip
Owner: xfs
/tmp/.font-unix/
Rights: rwxrwxrwt
Inside File: fs7100
File size: 0
Owner: root
/tmp/.ICE-unix/
Rights: rwxrwxrwt
Inside File: (empty)
Owner: root
/tmp/ce/
Rights: rwxrwx--x
Inside File: adodb_ce1cd942945d5043f890
File size: 32,305
(this file is attached)
Let me know if you have any more questions.
Thanks,
Wally
ce.zip
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok Drawlin, but how do I patch the webserver? What can I do to prevent it from happening again.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.