My Server was Hacked - Need Advice

TexasTornadoDeb · #1 4th April 2012, 10:59 PM

I've reviewed some threads here, but don't quite understand everything. One of the reasons I was brought to this forum, was I was checking out an IP on a suspicious process and it brought me to this thread located here, which the member mentions this IP and even the port in their post when they asked for help:

http://forums.fedoraforum.org/showthread.php?t=116207

I have CFS running and it sends me emails. I don't know how hackers can change the password of a root, but that is what they did. The host suggested I go back 3 days, no good, still the hackers were running scripts to not only bring down my site, but also other websites which I don't know.

The suspicious process running is this ..

Time: Wed Apr 4 14:40:25 2012 -0500
PID: 23724
Account: cpanel
Uptime: 27391 seconds

Executable:

/usr/local/bin/perl

Command Line (often faked in exploits):

spamd child

Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:42701
udp: **my IP** -> **my IP**

(**did not put my actual server IP above)

Then it lists a lot of processes I am unfamiliar with. I have no idea what this means. But after using a backup and restoring to a month earlier, I fear the culprits still have stuff going on on my server.

Where do I find a legitimate service to help clean up my server? My server will delete and rebuilt my server wiping out the websites I have had for years, along with my members, which will destroy me financially and all I've built.

Why is someone elses IP on in a script on the server? What is tcp?

Any advice is greatly appreciated!

***bob*** · #2 4th April 2012, 11:38 PM

Deb, you haven't mentioned what operating system and version you're running and I'm certainly not skilled enough to help you with that problem anyway. However, you ask "how" and "why"? Well, I just googled your username and here's some VERY public info that I found in about 3 minutes:

Your name is apparently Deborah Heaberlin (very pretty, btw) and you may live in East Texas, although one ping shows you in the Bronx. You apparently have been using Firefox 7 on Windows Vista and have enabled Javascript. You love freebies and have some artistic talent. Also you were awarded $50 in a contest, but also the "Rediculous is not a Word Award".

In other words, you've spread yourself about the internet with loads of details and probably have attracted some attention from unfriendly people, maybe facebook, maybe twitter, maybe a bad trade or sale? And, my guess would be that your password is not too terribly secure?

If this seems to fit, even slightly, please consider tightening up your security; reducing the info by being a bit more secretive with usernames, info, etc. If you really are at risk for losses financially and with members, you need to tighten things up.

trekkie690 · #3 4th April 2012, 11:48 PM

to answer the TCP part.
wiki TCP
for the most part you have TCP and UDP type of trasnport connection. TCP is a established connection i.e. i send you something you confirm your reciept. while a UDP is a best chance delivery, or USPS you put the letter in the mail hopping it gets there, it might not.

the 127.0.0.1 is your local host or the loop back. if you do a 'ifconifg' command you'll see this IP. its your machine talking with self. which machines like to do sometimes. if you did a 'netstat -antup' followed by a 'netstat -atup' (notice no n) then you would see that all the entries that had 127.0.0.1 are now called localhost. netstat tries to relove the ip address to a name i.e. google.com. the 'n' tells it not to do this.

as for the port 783, do you have program called HP-alarm-manager on the computer, thats the top thing on a quick google search the return (this doesnt mean its not malicious, hackers can use any port). locate is a command you can use to find anything with alarm or HP in the title.

Now how they got in i wouldnt know unless you post more info, such as the the netstat command above. Also making sure you have any services shut down on the server that your not actually using. aka not using ssh cause you have physical access to it. Their are many books and websites that talk about locking down a server, and then you'll also need to patch to ensure you have no hackable versions of software.

RHamel · #4 4th April 2012, 11:54 PM

TCP stands for Transmission Control Protocol.

Spamd is the daemon for SpamAssasin which is a program that does email spam filtering. It is perl based application that is packaged with Apache. It's default port is 783.

ianpurton · #5 6th April 2012, 06:29 PM

Here's some checks you can run to give you an idea of what's going on.

http://servermonitoringhq.com/blog/h...as_been_hacked