Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 23 March 2007 13:40:45 Schnulli wrote:
> Well, we got also infected with this "bastard"
> ok, we´running Mandrake 10.2 (the good old one) but same probbs.
>
> How i found it?
> i was looking what is running on this MDK... uuuuuuhhhhh whats that
> => APACHE -DSSL ??? hmmm with high CPU Load.... i was wondering.
> Also o had lately lags in our bandwidth.... alot spam Mails and a few
> other strange things.
> Ok.. time to do smth......
> In our case this is bastard tells you i am "APACHE -DSSL" WRONG!!!!
> this is a Perl Deamon connecting to the Irc Network and spreading all
> infos of ur sys, AND!!!! gives them full access to ur Server.......
> What to do???? Where the heck does it load from?
> Well.... it is a Exploit used by hackers to hijack Boards, no matter
> if phpBB, Joomla or other.. its Code injection and execution !! once
> u got infected u r having a probb we DONT know at time a solution to
> kick this lil baby off, not yet.....
> What we did?
> well... this exploid needds to load external code to execute.... we
> found where and how it starts up, in our case it is the file
> "borek.txt" (search for it by google etc. and you will find similar
> probbs;) )
> OK... we saw where this bastard tryed to load it´s code... so we
> blocked this IP. This will give us now the time and chance to search
> how it works and maybe find a solution to fix it and close this
> backdoor/bug
> When u deny/drop/reject access to the IP where the code is placed,
> the deamon cant start up.. simple? yes, but no solution.....
>
> We´ll finger out how and what it is and by chance bring u all (and
> us) a solution ti fix it
>
> cheers from Germany,
> Schnulli
>
> By the way, when still someone has a solution feel free to post it
> here or leave me a note
>

Sorry about reading you have been hacked.
Well, it depends on the scenario, of course, but in mine, I have the public 
server with a restricted network policy, I mean, the only output connection 
allowed is the one made to the apt-get servers. Any other connection will be 
refused.
So, in case we were hacked and that -DSSL running, it wouldn´t send any piece 
of information, at least.

We´re also using Babel Enterprise ( http://babel.sf.net ) in order to keep our 
processes and services under control, so if there´s any other process running 
aside from the ones we already know and allow,it will be reported.

Hope this helps.
All the best.
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux