Linux Web Server Security Expert Required - Urgent

[Phanerothyme 12]

I've just got a message through from one of my clients regarding a problem with their Linux server.

 

I need a competent Linux security expert today, if possible, to go through the server with me and the abuse department identify the problem (if there is one) and put it right.

 

Although we are waiting for more information about the nature of the problem, it seems that the server has been compromised and is being used to either portscan or attack remote IPs.

 

Please reply in thread or pm with your hourly rate.

[Ghozer 112]

Check the root logs,

 

in otherwords, check the root mail locally, and check through the logs, it should have sent a report of each attempt to gain access to the machine, if there's lots of login attempts, it would seem its been brute forced.. at some point it would have let them in and you can trace back based on what username got in as-to what files that username has permission to and has written/used recently..

[richard 10]

I've sent you a PM

[mr.blaze 10]

Have you tryed 'SSC' to try and find the problem fella?

[Phanerothyme 12]

Have you tryed 'SSC' to try and find the problem fella?

ssc?

you lost me now.

[Joelc 10]

First job, take the thing offline, stop all services its possible to stop without loosing ssh access. Then use a rootkit detector like chkrootkit and check for local exploits.

 

Give me a shout on MSN later if you need help still.

 

Joel

[Phanerothyme 12]

I'm guessing from /var/log/secure that this is email arriving for this domain

Jan 23 15:05:50 p15171591 xinetd[649]: START: smtp pid=2856 from=xxx.xxx.xxx.xxx
Jan 23 15:05:59 p15171591 xinetd[649]: START: smtp pid=2938 from=xxx.xxx.xxx.xxx
Jan 23 15:06:34 p15171591 xinetd[649]: START: smtp pid=3066 from=62.128.xxx.xxx
Jan 23 15:06:45 p15171591 xinetd[649]: START: smtp pid=3077 from=68.115.xxx.xxx
Jan 23 15:06:59 p15171591 xinetd[649]: START: smtp pid=3234 from=212.219.xxx.xxx
Jan 23 15:07:08 p15171591 xinetd[649]: START: smtp pid=3334 from=200.120.xxx.xxx
Jan 23 15:08:05 p15171591 xinetd[649]: START: smtp pid=3557 from=82.239.xxx.xxx

 

would anyone agree

[xircon 10]

Don't know that much about security side of linux but isn't xine a video/media player?

[Ghozer 112]

xinetd is a replacement for inetd (internet services daemon), its meant to be quite a bit more secure...

 

although I dont think that what you pasted has anything to do with the problem...

 

it COULD, but doubtful

[D2J 10]

Xine is a media player yes but xinetd is part of a config/memory file. I think

[Joelc 10]

Don't know that much about security side of linux but isn't xine a video/media player?

 

xinetd is a replacement for inetd, which is a "super server" that a lot of UNIX servers used to, and still do use. It basically listens on all available ports, and passes incoming connection to the relevant program, I.E passes HTTP requests to Apache.

 

Many people don't use this method any more and set-up the server programs to directly listen on the ports. This method reduces high overheads on busy servers. Its usually distribution specific as to what method its set-up to use, although most can do both.

 

Joel

[mrmist 10]

There's nothing unusual in itself within the xinetd log. It's only a problem if the traffic levels are high or similar, and your mail logs suggest that the server is being abused rather than used legitimately.

 

If you suspect that your server has been rooted, disconnect it from the network like Joelc suggested, and do local scans for rootkits. Bear in mind that if it has been compromised, *any* information that you are currently seeing could be fake.