Port Scanner

Hi

I am running an unmanaged Dedicated Server hosted with a company running CentOS 6.6. Today I got an email from that they have received complaints of malicious activity originating from my server and ask to check if the machine has been compromised and is now being used by intruders in malicious activities.

I checked is ps aux and found that pnscan and masscan were running from /home.cache directory.

I killed the process, removed .cache directory and changed the passwords.

I want your suggestions about how these port scanners would have entered in my system and how can I get rid of them completely? It is very difficult to rebuild the server. Also is this kind of trojan or virus ?
sysautomationAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
What services does the system have/does web, FTP, mail, xinetd?
Who has login rights on the server, does root have login rights?
0
SuedishCommented:
Did you find out which user was running those scans? Check the ~/.bash_history file to see the command history for that user and for root, perhaps you can find out something that way.

Also, it's more like than likely they would have put in a backdoor as well for continued access. Has there been any new users added that should not be there? Is there anything else running that is not supposed to be running, don't limit yourself to looking for scanners only.

Use 'netstat -an' and scroll up to the active internet connections, are there any ports being used that you do not expect?

If you are sure nothing unwanted is running then you could also verify with your hosting company that the malicious traffic has stopped.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sysautomationAuthor Commented:
Thanks Suedish

netstat -na shows some lines like following:

unix  3      [ ]         STREAM     CONNECTED     44861  /tmp/orbit-myhostname/linc-2110-0-30808b87dc57a
unix  3      [ ]         STREAM     CONNECTED     44860  
unix  3      [ ]         STREAM     CONNECTED     44857  /tmp/orbit-myhostname/linc-20f1-0-1904c4cb8bea1

Open in new window


I am not sure what is that for. Does it look normal?
0
SuedishCommented:
That's normal. I'm more interested in the info under the header 'Active Internet connections (servers and established)' which should be visible if you scroll up a bit from that text your pasted, or just type "netats -ant". There you will see a list of open ports, have a look through that to make sure there's nothing out of the ordinary going on.
0
serialbandCommented:
I wouldn't have removed that cache directory immediately.  I would have moved it first to do some examination.  Which account owned the folder?  What was the time stamp?  You could have used the time stamp to narrow down the log ranges that you needed to check.  Frequently, they have data in them showing some sort of owner name, allowing you to narrow down the origins .


You probably need to scan for additional rootkits on your system.  If you don't know how to do it manually, you can download tools to do it for you.  https://www.rootkit.nl/software/rootkit-hunter/

You should probably attempt to track down the account that was used to get into your server, if you have accounts that are not root.  If you only have a root account, I suggest you make the password much more complex and use an ssh key instead of a password.  You should probably also block ssh from unknown IPs.  Install fail2ban for ssh, if you don't know how to set iptables to do that.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.