help!!!! [Archive] - FDCServers Forums

thecheatah

03-19-2005, 20:04

My server was recently hacked and i found an account named guest with admin privelages... :eek: i removed that account and updated all my software to the latest...can any one help me prevent this from happening again...here is my netstat:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 5455/stunnel-4.04lo
tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN 3332/portsentry
tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN 5458/cpsrvd - waiti
tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN 5455/stunnel-4.04lo
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 5455/stunnel-4.04lo
tcp 0 0 0.0.0.0:2084 0.0.0.0:* LISTEN 3018/entropychat
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN 5458/cpsrvd - waiti
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN 5455/stunnel-4.04lo
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 28615/mysqld
tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN 3025/startmelange
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2984/cppop - accept
tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN 5458/cpsrvd - waiti
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 4943/spamd.pid --ma
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3332/portsentry
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2692/xinetd
tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN 5455/stunnel-4.04lo
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2794/httpd
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2770/exim
tcp 0 0 66.90.103.71:53 0.0.0.0:* LISTEN 2887/named
tcp 0 0 66.90.103.67:53 0.0.0.0:* LISTEN 2887/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2887/named
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2668/proftpd: (acce
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2678/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2887/named
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2766/exim
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2794/httpd
tcp 0 0 66.90.103.67:80 24.7.181.17:2065 FIN_WAIT2 -
tcp 0 0 66.90.103.67:80 69.236.48.163:4400 ESTABLISHED 2963/httpd
tcp 0 0 66.90.103.67:80 24.7.181.17:2066 FIN_WAIT2 -
tcp 0 0 66.90.103.67:80 69.111.77.155:4008 FIN_WAIT2 -
tcp 0 0 66.90.103.67:80 202.179.137.14:19423 TIME_WAIT -
tcp 0 0 66.90.103.71:80 72.252.15.243:2461 ESTABLISHED 31759/httpd
tcp 0 0 66.90.103.71:80 72.252.15.243:2460 ESTABLISHED 31489/httpd
tcp 0 0 66.90.103.67:80 24.81.239.243:4183 TIME_WAIT -
tcp 0 1892 66.90.103.67:80 4.27.245.244:50246 ESTABLISHED 31200/httpd
tcp 0 0 66.90.103.67:80 66.81.20.100:1084 ESTABLISHED 2973/httpd
tcp 0 52 66.90.103.67:22 68.44.67.77:1827 ESTABLISHED 31559/sshd
udp 0 0 0.0.0.0:32775 0.0.0.0:* 2887/named
udp 0 0 66.90.103.71:53 0.0.0.0:* 2887/named
udp 0 0 66.90.103.67:53 0.0.0.0:* 2887/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2887/named
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 1129145 28615/mysqld /var/lib/mysql/mysql.sock
unix 9 [ ] DGRAM 2396 2585/syslogd /dev/log
unix 3 [ ] STREAM CONNECTED 1219974 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1219973 2960/httpd
unix 3 [ ] STREAM CONNECTED 1163167 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1163166 2969/httpd
unix 3 [ ] STREAM CONNECTED 1153755 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1153754 2973/httpd
unix 3 [ ] STREAM CONNECTED 1141070 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1141069 2963/httpd
unix 3 [ ] STREAM CONNECTED 1136098 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136097 2964/httpd
unix 3 [ ] STREAM CONNECTED 1136094 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136093 2962/httpd
unix 3 [ ] STREAM CONNECTED 1136091 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136090 3048/httpd
unix 3 [ ] STREAM CONNECTED 1136088 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136087 2969/httpd
unix 3 [ ] STREAM CONNECTED 1136085 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136084 2974/httpd
unix 3 [ ] STREAM CONNECTED 1136082 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136081 2973/httpd
unix 3 [ ] STREAM CONNECTED 1136079 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136078 2983/httpd
unix 3 [ ] STREAM CONNECTED 1136076 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1136075 2961/httpd
unix 3 [ ] STREAM CONNECTED 1132749 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1132748 28666/perl
unix 3 [ ] STREAM CONNECTED 1130627 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1130626 2962/httpd
unix 3 [ ] STREAM CONNECTED 1130624 28615/mysqld /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 1130623 3048/httpd
unix 2 [ ] DGRAM 108058 5455/stunnel-4.04lo
unix 2 [ ] DGRAM 94833 4943/spamd.pid --ma
unix 2 [ ] DGRAM 16523 3301/rhnsd
unix 2 [ ] DGRAM 4646 2887/named
unix 2 [ ] DGRAM 3545 2819/crond
unix 2 [ ] DGRAM 2624 2692/xinetd
unix 2 [ ] DGRAM 2404 2589/klogd

are there any ports or programs running that shouldnt be????
plz help...
and i think that person may have hacked ssh...
is that even possible?
i am soo confused lol
and annoyed...

I have also disabled most other websites and accounts temporarly...

and if there is any other information you would like to know about my server i can post it here

arty

03-19-2005, 22:54

try running chkrootkit

thecheatah

03-19-2005, 23:36

i think we did but we didnt find ne thing

Vlad

03-21-2005, 15:34

if he was logged in with guest it's not any vulnerability there is currently a scanner that checks a few users of boxes, it tries all posibilites like this:

u: guest p: guest ; u: guest p: guest123 ; u: guest p: guest123456 ; u: guest p: 123 ; u: guest p: 123456 ; u: admin p: admin and so on, you probably had on the guest user password guest or one of those i mentioned and that's why you we're 'hacked'

thecheatah

03-21-2005, 19:52

this is our second server whch was hacked on fdc. the previous one got terminated. This hack was not a "random" thing. Someone is hacking my servers on purpose i believe :-\. Im not good with linux but is a guest account usually there?

mikron15

03-21-2005, 22:08

Not sure abt the guest acct.. i doubt a guest acct is created by default. As for linux boxes getting hacked, it happens always. Hence u need to secure it and don't give out root info or if possible shell access. Set tough passwords, avoid giving access to 3rd party for installation. Make sure ur box is up to date always ( using yum, will make it easy)

In a 24hrs period, my box is scanned atleast 80+ times a day. Install a firewall ( my pick is APF with BFD)

netprismdotnet

04-04-2005, 22:12

In a 24hrs period, my box is scanned atleast 80+ times a day. Install a firewall ( my pick is APF with BFD)

Where can I find APF?

mikron15

04-04-2005, 22:29

http://www.rfxnetworks.com/proj.php

Kyle

04-05-2005, 16:10

WOW cool that site has some effin awsome lookin tools. Im gonna use some of them.
Thanks Dude

mikron15

04-05-2005, 16:50

np ;)

Sucks they don't have any new project out recently