Phanerothyme   12 #1 Posted January 22, 2007 I've just got a message through from one of my clients regarding a problem with their Linux server.  I need a competent Linux security expert today, if possible, to go through the server with me and the abuse department identify the problem (if there is one) and put it right.  Although we are waiting for more information about the nature of the problem, it seems that the server has been compromised and is being used to either portscan or attack remote IPs.  Please reply in thread or pm with your hourly rate. Share this post Link to post Share on other sites Share this content via...
Ghozer   112 #2 Posted January 22, 2007 Check the root logs,  in otherwords, check the root mail locally, and check through the logs, it should have sent a report of each attempt to gain access to the machine, if there's lots of login attempts, it would seem its been brute forced.. at some point it would have let them in and you can trace back based on what username got in as-to what files that username has permission to and has written/used recently.. Share this post Link to post Share on other sites Share this content via...
richard   10 #3 Posted January 22, 2007 I've sent you a PM Share this post Link to post Share on other sites Share this content via...
mr.blaze   10 #4 Posted January 22, 2007 Have you tryed 'SSC' to try and find the problem fella? Share this post Link to post Share on other sites Share this content via...
Phanerothyme   12 #5 Posted January 22, 2007 Have you tryed 'SSC' to try and find the problem fella? ssc? you lost me now. Share this post Link to post Share on other sites Share this content via...
Joelc   10 #6 Posted January 22, 2007 First job, take the thing offline, stop all services its possible to stop without loosing ssh access. Then use a rootkit detector like chkrootkit and check for local exploits.  Give me a shout on MSN later if you need help still.  Joel Share this post Link to post Share on other sites Share this content via...
Phanerothyme   12 #7 Posted January 23, 2007 I'm guessing from /var/log/secure that this is email arriving for this domain Jan 23 15:05:50 p15171591 xinetd[649]: START: smtp pid=2856 from=xxx.xxx.xxx.xxx Jan 23 15:05:59 p15171591 xinetd[649]: START: smtp pid=2938 from=xxx.xxx.xxx.xxx Jan 23 15:06:34 p15171591 xinetd[649]: START: smtp pid=3066 from=62.128.xxx.xxx Jan 23 15:06:45 p15171591 xinetd[649]: START: smtp pid=3077 from=68.115.xxx.xxx Jan 23 15:06:59 p15171591 xinetd[649]: START: smtp pid=3234 from=212.219.xxx.xxx Jan 23 15:07:08 p15171591 xinetd[649]: START: smtp pid=3334 from=200.120.xxx.xxx Jan 23 15:08:05 p15171591 xinetd[649]: START: smtp pid=3557 from=82.239.xxx.xxx  would anyone agree Share this post Link to post Share on other sites Share this content via...
xircon   10 #8 Posted January 23, 2007 Don't know that much about security side of linux but isn't xine a video/media player? Share this post Link to post Share on other sites Share this content via...
Ghozer   112 #9 Posted January 23, 2007 xinetd is a replacement for inetd (internet services daemon), its meant to be quite a bit more secure...  although I dont think that what you pasted has anything to do with the problem...  it COULD, but doubtful Share this post Link to post Share on other sites Share this content via...
D2J Â Â 10 #10 Posted January 23, 2007 Xine is a media player yes but xinetd is part of a config/memory file. I think Share this post Link to post Share on other sites Share this content via...
Joelc   10 #11 Posted January 23, 2007 Don't know that much about security side of linux but isn't xine a video/media player?  xinetd is a replacement for inetd, which is a "super server" that a lot of UNIX servers used to, and still do use. It basically listens on all available ports, and passes incoming connection to the relevant program, I.E passes HTTP requests to Apache.  Many people don't use this method any more and set-up the server programs to directly listen on the ports. This method reduces high overheads on busy servers. Its usually distribution specific as to what method its set-up to use, although most can do both.  Joel Share this post Link to post Share on other sites Share this content via...
mrmist   10 #12 Posted January 23, 2007 There's nothing unusual in itself within the xinetd log. It's only a problem if the traffic levels are high or similar, and your mail logs suggest that the server is being abused rather than used legitimately.  If you suspect that your server has been rooted, disconnect it from the network like Joelc suggested, and do local scans for rootkits. Bear in mind that if it has been compromised, *any* information that you are currently seeing could be fake. Share this post Link to post Share on other sites Share this content via...