possibly hacked
Manuel Arostegui Ramirez
manuel at todo-linux.com
Fri Mar 23 12:52:26 UTC 2007
On Friday 23 March 2007 13:40:45 Schnulli wrote:
> Well, we got also infected with this "bastard"
> ok, we´running Mandrake 10.2 (the good old one) but same probbs.
>
> How i found it?
> i was looking what is running on this MDK... uuuuuuhhhhh whats that
> => APACHE -DSSL ??? hmmm with high CPU Load.... i was wondering.
> Also o had lately lags in our bandwidth.... alot spam Mails and a few
> other strange things.
> Ok.. time to do smth......
> In our case this is bastard tells you i am "APACHE -DSSL" WRONG!!!!
> this is a Perl Deamon connecting to the Irc Network and spreading all
> infos of ur sys, AND!!!! gives them full access to ur Server.......
> What to do???? Where the heck does it load from?
> Well.... it is a Exploit used by hackers to hijack Boards, no matter
> if phpBB, Joomla or other.. its Code injection and execution !! once
> u got infected u r having a probb we DONT know at time a solution to
> kick this lil baby off, not yet.....
> What we did?
> well... this exploid needds to load external code to execute.... we
> found where and how it starts up, in our case it is the file
> "borek.txt" (search for it by google etc. and you will find similar
> probbs;) )
> OK... we saw where this bastard tryed to load it´s code... so we
> blocked this IP. This will give us now the time and chance to search
> how it works and maybe find a solution to fix it and close this
> backdoor/bug
> When u deny/drop/reject access to the IP where the code is placed,
> the deamon cant start up.. simple? yes, but no solution.....
>
> We´ll finger out how and what it is and by chance bring u all (and
> us) a solution ti fix it
>
> cheers from Germany,
> Schnulli
>
> By the way, when still someone has a solution feel free to post it
> here or leave me a note
>
Sorry about reading you have been hacked.
Well, it depends on the scenario, of course, but in mine, I have the public
server with a restricted network policy, I mean, the only output connection
allowed is the one made to the apt-get servers. Any other connection will be
refused.
So, in case we were hacked and that -DSSL running, it wouldn´t send any piece
of information, at least.
We´re also using Babel Enterprise ( http://babel.sf.net ) in order to keep our
processes and services under control, so if there´s any other process running
aside from the ones we already know and allow,it will be reported.
Hope this helps.
All the best.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the users
mailing list