Önemli bir sorun

ArkadaSYeri · 13 Mart 2006

merhaba ;

Server'imle ilgili önemli bir problemim var. Layeredtech'den aldıgım server'a perl dosyaları upload edilip, spam mail atılıyor server'ımdan. Layered bu sorunu halledin kapatırız demiş. Bende maili geç okuyunca kapatmışlar.
Sonra yeniden açtırdım, rootkit hunter kurdum. Ama sunucu yönetiminden pek anlamıyorum. Bahsi geçen perl dosyalarınıda sildim. Daha doğrusu maillerin icinde bulundugu txt dosyaları.
Herneyse ; mail attım layered'e, sanırım hallettim birde siz kontrol edin diye.

Simdi bana 3 tane mail gelmis :

Greetings! You have mentioned nothing regarding the abuse issue which was scanning other computers/networks for vulnerabilities. One of your responses indicates rkhunter found a rootkit on your system. Has the rootkit been successfully removed? Did you find the specific script used for this scanning incident? Has it been removed from the server?

Unless we receive a reply directly addressing the abuse issue we will be force to re-disconnect this server

This server will be disconnected at Monday 13 March 03:20 -0600 unless we receive a response addresing the abuse issue of scanning.

Sanırım iyice temizleyin yoksa tekrar kapanacak felan diyor. Bu konuda yardımcı olabilecek birileri varsa çok sevinirim. Ne yapıcam ben ? Ve tam olarak ne diyor bunlar ?

LNWServers · 13 Mart 2006

Rootkitin başarıyla silindimi diye soruyorlar ayrıca bu taramayı yaparken hangi script i kullandıgınızı bilmek istiyorlar vede son olarak bunun serverden silinip silinmediğini soruyorlar. Buna yaptığınız işleme göre cevap verin yoksa bugun tekrar kapatılacaklar sunucunuzu.

ArkadaSYeri · 13 Mart 2006

Rootkit'i kurdum kurmasına ;
çalıştırdım da.. Bir kaç tane zararlı dosya buldu. Fakat bu dosyaları nasıl yok edeceğim ?
Silmek istediğimde yetkiniz yok diyor. Öyle demesi de normal. Çünkü sıradan dosyalar değil. Bakın rkhunter'in verdiği sonuçları göstereyim :

Rootkit Hunter 1.2.8 is running

Determining OS... Ready

Checking binaries
* Selftests
Strings (command) [ OK ]

* System tools
Info: prelinked files found
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chown [ OK ]
/bin/df [ OK ]
/bin/echo [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/sort [ OK ]
/bin/su [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ BAD ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/ksyms [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ BAD ]
/usr/bin/kill [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/less [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/slocate [ BAD ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ BAD ]
/usr/bin/w [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/xinetd [ OK ]
--------------------------------------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update). If you're in doubt about these hashes, contact
the author (fill in the contact form).
--------------------------------------------------------------------------------

[Press <ENTER> to continue]

Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ Warning! ]

[Press <ENTER> to continue]

Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/lisanssız).
--------------------------------------------------------------------------------

[Press <ENTER> to continue]

Rootkit 'SHV5'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/lisanssız).
--------------------------------------------------------------------------------

[Press <ENTER> to continue]

Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ Warning! ]

ArkadaSYeri · 13 Mart 2006

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/lisanssız).
--------------------------------------------------------------------------------

[Press <ENTER> to continue]

Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]

[Press <ENTER> to continue]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]
Checking files attributes [ OK ]
Checking LKM module path [ OK ]

Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]

[Press <ENTER> to continue]

System checks
* Allround tests
Checking hostname... Found. Hostname is tr.
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/srd0: ASCII text
---------------------------------------------
Scanning for hidden files... [ OK ]

[Press <ENTER> to continue]

Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]

* Application version scan
- Exim MTA 4.52 [ OK ]
- GnuPG 1.2.3 [ Old or patched version ]
- Apache [unknown] [ OK ]
- Bind DNS 9.2.2-P3 [ Unknown ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.4.1 [ OK ]
- PHP 4.4.1 [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.6.1p2 [ Old or patched version ]

Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or fill in the contact form (www.rootkit.nl)

Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ Warning! ]
Info: Cannot find syslog/syslog-ng daemon
Checking for logging to remote system... [ OK (no remote logging) ]

[Press <ENTER> to continue]

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 85
Incorrect MD5 checksums: 9

File scan
Scanned files: 342
Possible infected files: 4
Possible rootkits: Flea Linux Rootkit SHV4 SHV5 SunOS Rootkit

Application scan
Vulnerable applications: 3

Scanning took 53 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)

-----------------------------------------------------------------------
root@tr [/rkhunter]#

Ne yapmam gerekiyor bilmiyorum. Zorla os reload yapıp, para alıcak adamlar.

okan23 · 13 Mart 2006

şifreleri pm at bana sana uygunsa bakayım

ArkadaSYeri · 14 Mart 2006

okan23' Alıntı:
şifreleri pm at bana sana uygunsa bakayım

Tsk ederim.
Os reload.. Baska caresi yok. Gitti 50 USD daha..

Önemli bir sorun

ArkadaSYeri

0

LNWServers

ArkadaSYeri

0

ArkadaSYeri

0

okan23

0

ArkadaSYeri

0

Backlink ve Tanıtım Yazısı için iletişime geçmek için Skype Adresimiz: .cid.1580508955483fe5