under attack, need some help

Last week I was attacked on my Layered Server by someone known as nobody and they installed a mechbot. I did all the server security things mentioned here and what layered sent me. This is the results of the other day first, and then I will post todays issues, as their back. Any input would be helpful.

Last Weeks fixes:

Secured files from non-root users using:
chmod 0700 `which curl` 2>&-; chmod 0700 `which fetch` 2>&-; chmod 0700 `which wget` 2>&-

rkhunter ran results:
MD5
MD5 compared: 80
Incorrect MD5 checksums: 1 (Kudzu)

File scan
Scanned files: 309
Possible infected files: 0
Possible rootkits:


Scanning took 52 seconds

Found IRCD exploit in /temp directory in hidden directory .f

Removed all instances of MechEnergy (program used to scan remote systems) More info
about Energy Mech can be found at http://www.energymech.net/

The /tmp directory has been locked down by disabling file execution from it and by disabling the user
nobody from executing files.

/dev/varTmp /var/tmp ext3 loop,rw,nosuid,noexec,nodev,noatime 0 0
/dev/tmp /tmp ext3 loop,rw,nosuid,noexec 0 0

The following IP was the user that started the attack: 194.109.129.220 and has been blocked via IP Tables from the server
we will also be filing a report with the ISP owner and forwarding a copy of this report to the RCMP for review.

Disabled Direct root login and changed all administrative passwords on all accounts.

Today:
It seems it is a mechbot that is being put into it. We traced the attack
the other day to a .fa directory. Now there is another one. I ran the
commands you sent in prior emails. This is the results of a scan I did in
SSH:

/var/tmp:
drwxr-xr-x 2 nobody 1024 Apr 24 07:55 .data/

/var/tmp/.data:
-rwxrwxrwx 1 nobody 0 Apr 24 07:55 skiddos*

/tmp/.iroha_unix/scripts:
-rw-r--r-- 1 nobody 527 Sep 4 2001 action.fix.tcl
-rw-r--r-- 1 nobody 316833 Apr 22 10:16 adC.tcl
-rw-r--r-- 1 nobody 7813 Sep 4 2001 alltools.tcl
-rw-r--r-- 1 nobody 9795 Sep 19 2004 autobotchk
-rw-r--r-- 1 nobody 4443 Apr 20 08:36 away.tcl
-rw-r--r-- 1 nobody 2759 Sep 4 2001 botchk
-rw-r--r-- 1 nobody 1294 Sep 4 2001 cmd_resolve.tcl
-rw-r--r-- 1 nobody 2233 Sep 4 2001 compat.tcl
-rw-r--r-- 1 nobody 1939 Sep 4 2001 CONTENTS
-rw-r--r-- 1 nobody 3361 Apr 20 08:36 dns.tcl
-rw-r--r-- 1 nobody 10937 Sep 4 2001 getops.tcl
-rw-r--r-- 1 nobody 1712 Apr 12 06:57 identify.tcl
-rw-r--r-- 1 nobody 3890 Sep 4 2001 klined.tcl
-rw-r--r-- 1 nobody 7440 Sep 4 2001 notes2.tcl
-rw-r--r-- 1 nobody 9878 Apr 8 23:44 portchk.tcl
-rw-r--r-- 1 nobody 13638 Sep 4 2001 ques5.tcl
-rw-r--r-- 1 nobody 52091 Sep 4 2001 sentinel.tcl
-rw-r--r-- 1 nobody 9728 Sep 4 2001 userinfo.tcl
-rw-r--r-- 1 nobody 22801 Sep 4 2001 weed


This is a Unix server with WHM 10.8.0 cPanel 10.8.1-S114, Fedora i686 - WHM X v3.1.0

There are 2 users with very secure passwords to login to SSH, and then they need to su to root with a 25 character password which we changed on last weeks attacks, just as a precaution.

Any input would be appreciated.

 

 

 

 

Top