Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 4th April 2012, 10:59 PM
TexasTornadoDeb Offline
Registered User
 
Join Date: Apr 2012
Location: U.S.
Posts: 1
windows_7firefox
My Server was Hacked - Need Advice

I've reviewed some threads here, but don't quite understand everything. One of the reasons I was brought to this forum, was I was checking out an IP on a suspicious process and it brought me to this thread located here, which the member mentions this IP and even the port in their post when they asked for help:

http://forums.fedoraforum.org/showthread.php?t=116207

I have CFS running and it sends me emails. I don't know how hackers can change the password of a root, but that is what they did. The host suggested I go back 3 days, no good, still the hackers were running scripts to not only bring down my site, but also other websites which I don't know.

The suspicious process running is this ..

Time: Wed Apr 4 14:40:25 2012 -0500
PID: 23724
Account: cpanel
Uptime: 27391 seconds


Executable:

/usr/local/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:42701
udp: **my IP** -> **my IP**

(**did not put my actual server IP above)

Then it lists a lot of processes I am unfamiliar with. I have no idea what this means. But after using a backup and restoring to a month earlier, I fear the culprits still have stuff going on on my server.

Where do I find a legitimate service to help clean up my server? My server will delete and rebuilt my server wiping out the websites I have had for years, along with my members, which will destroy me financially and all I've built.

Why is someone elses IP on in a script on the server? What is tcp?

Any advice is greatly appreciated!
Reply With Quote
  #2  
Old 4th April 2012, 11:38 PM
bob Online
Administrator (yeah, back again)
 
Join Date: Jul 2004
Location: Colton, NY; Junction of Heaven & Earth (also Routes 56 & 68).
Age: 69
Posts: 22,184
linuxfirefox
Re: My Server was Hacked - Need Advice

Deb, you haven't mentioned what operating system and version you're running and I'm certainly not skilled enough to help you with that problem anyway. However, you ask "how" and "why"? Well, I just googled your username and here's some VERY public info that I found in about 3 minutes:

Your name is apparently Deborah Heaberlin (very pretty, btw) and you may live in East Texas, although one ping shows you in the Bronx. You apparently have been using Firefox 7 on Windows Vista and have enabled Javascript. You love freebies and have some artistic talent. Also you were awarded $50 in a contest, but also the "Rediculous is not a Word Award".

In other words, you've spread yourself about the internet with loads of details and probably have attracted some attention from unfriendly people, maybe facebook, maybe twitter, maybe a bad trade or sale? And, my guess would be that your password is not too terribly secure?

If this seems to fit, even slightly, please consider tightening up your security; reducing the info by being a bit more secretive with usernames, info, etc. If you really are at risk for losses financially and with members, you need to tighten things up.
__________________
Linux & Beer - That TOTALLY Computes!
Registered Linux User #362651


Don't use any of my solutions on working computers or near small children.

Last edited by bob; 4th April 2012 at 11:45 PM.
Reply With Quote
  #3  
Old 4th April 2012, 11:48 PM
trekkie690 Offline
Registered User
 
Join Date: May 2009
Location: Nor Cali
Posts: 75
linuxfirefox
Re: My Server was Hacked - Need Advice

to answer the TCP part.
wiki TCP
for the most part you have TCP and UDP type of trasnport connection. TCP is a established connection i.e. i send you something you confirm your reciept. while a UDP is a best chance delivery, or USPS you put the letter in the mail hopping it gets there, it might not.

the 127.0.0.1 is your local host or the loop back. if you do a 'ifconifg' command you'll see this IP. its your machine talking with self. which machines like to do sometimes. if you did a 'netstat -antup' followed by a 'netstat -atup' (notice no n) then you would see that all the entries that had 127.0.0.1 are now called localhost. netstat tries to relove the ip address to a name i.e. google.com. the 'n' tells it not to do this.

as for the port 783, do you have program called HP-alarm-manager on the computer, thats the top thing on a quick google search the return (this doesnt mean its not malicious, hackers can use any port). locate is a command you can use to find anything with alarm or HP in the title.

Now how they got in i wouldnt know unless you post more info, such as the the netstat command above. Also making sure you have any services shut down on the server that your not actually using. aka not using ssh cause you have physical access to it. Their are many books and websites that talk about locking down a server, and then you'll also need to patch to ensure you have no hackable versions of software.
Reply With Quote
  #4  
Old 4th April 2012, 11:54 PM
RHamel Offline
Registered User
 
Join Date: Sep 2004
Location: Denver, Colorado
Posts: 560
linuxfirefox
Re: My Server was Hacked - Need Advice

TCP stands for Transmission Control Protocol.

Spamd is the daemon for SpamAssasin which is a program that does email spam filtering. It is perl based application that is packaged with Apache. It's default port is 783.
Reply With Quote
  #5  
Old 6th April 2012, 06:29 PM
ianpurton Offline
Registered User
 
Join Date: Apr 2012
Location: London
Posts: 1
linuxubuntufirefox
Re: My Server was Hacked - Need Advice

Here's some checks you can run to give you an idea of what's going on.

http://servermonitoringhq.com/blog/h...as_been_hacked
Reply With Quote
Reply

Tags
advice, hacked, server

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
server was hacked HELP hoskinsrick Security and Privacy 13 5th June 2008 05:21 PM
Server Hacked 2 times/ Have no Clue FYT2008 Security and Privacy 5 25th February 2008 01:49 AM
Server Hacked and the root password didn't work gmg2006 Using Fedora 29 30th November 2007 03:47 PM
Server Hacked fedorafan2 Using Fedora 11 1st November 2007 03:15 AM
I think my server has been hacked Skillz Security and Privacy 4 27th March 2007 07:47 AM


Current GMT-time: 14:07 (Saturday, 01-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Surco Instagram Photos - Prague Travel Photos - Braine-lAlleud