Link to home
Start Free TrialLog in
Avatar of Wallym
Wallym

asked on

How to stop Malicious outbound attack from dedicated server

We have a dedicated server which seems to be hacked. Here is what the techs from the company where we host the server are saying:

We have received reports of malicious outbound traffic originating from your server. This indicates possible server compromise. You will need to audit your system to ensure all scripts are currently updated to the most current version.

high
168.9% of 50.0 kpps 41.12 Mbps
119.48 kpps 0:20
(Ongoing) Tue, Nov 24 2009, 08:37:15
Total 08:37:15
Total Traffic
(Misuse) RIPE
89.13. 230.151/32

------

Dear customer,

At current it does not look like your server has been root comprised by a base scan from rkhunter. All results have been written to the logfile (/var/log/rkhunter.log)

It does look like there are several files in the /tmp file that look to have possibly been unload through a vulnerability in one of your programs. You will need to audit your sites and program setup to further diagnose these issues and prevent this type of issue.

---------

What I need is to know what script to use or what to do so this can be stopped and doesnt happen again. Please provide all steps on how to stop this.

The host company can shut down the server if we dont get it resolved soon.

Thanks,

Wally

Avatar of xmachine
xmachine
Flag of Kuwait image

Can you get the list of files in /tmp ?
Avatar of Wallym
Wallym

ASKER

It doesnt look like much, but this is what is in there:

Owner: xfs
/tmp/.font-unix/
Rights: rwxrwxrwt
Inside File: fs7100
File size: 0

Owner: root
/tmp/.ICE-unix/
Rights: rwxrwxrwt
Inside File: (empty)

Owner: root
/tmp/ce/
Rights: rwxrwx--x
Inside File: adodb_ce1cd942945d5043f89000f99ceadbb2.cache
File size: 32,305
(this file is attached)

Let me know if you have any more questions.

Thanks,

Wally
ce.zip
ASKER CERTIFIED SOLUTION
Avatar of drawlin
drawlin
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Wallym

ASKER

Ok Drawlin, but how do I patch the webserver? What can I do to prevent it from happening again.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial