nhwebgroup
11-06-2006, 06:15 AM
I belive my server was hijacked by and IRC bot...
lots of CRON messages like this:
Nov 6 09:09:00 web1 /usr/sbin/cron[21215]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
Nov 6 09:10:00 web1 /usr/sbin/cron[21260]: (root) CMD (/usr/local/directadmin/dataskq)
Nov 6 09:10:00 web1 /usr/sbin/cron[21261]: (root) CMD (/usr/libexec/atrun)
Nov 6 09:10:00 web1 /usr/sbin/cron[21262]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
Nov 6 09:11:00 web1 /usr/sbin/cron[21288]: (root) CMD (/usr/local/directadmin/dataskq)
Nov 6 09:11:00 web1 /usr/sbin/cron[21289]: (operator) CMD (/usr/libexec/save-entropy)
Nov 6 09:11:00 web1 /usr/sbin/cron[21290]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
When i "locate .psy" there are MANY places on the server where this folder shows up
Also i ran the "check root kit" and it told me that bind was compromized on prot 5190..
have you seen this? what tod to fix?
Tim
lots of CRON messages like this:
Nov 6 09:09:00 web1 /usr/sbin/cron[21215]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
Nov 6 09:10:00 web1 /usr/sbin/cron[21260]: (root) CMD (/usr/local/directadmin/dataskq)
Nov 6 09:10:00 web1 /usr/sbin/cron[21261]: (root) CMD (/usr/libexec/atrun)
Nov 6 09:10:00 web1 /usr/sbin/cron[21262]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
Nov 6 09:11:00 web1 /usr/sbin/cron[21288]: (root) CMD (/usr/local/directadmin/dataskq)
Nov 6 09:11:00 web1 /usr/sbin/cron[21289]: (operator) CMD (/usr/libexec/save-entropy)
Nov 6 09:11:00 web1 /usr/sbin/cron[21290]: (apache) CMD (/var/www/html/webmail/tmp/.psy/y2kupdate >/dev/null 2>&1)
When i "locate .psy" there are MANY places on the server where this folder shows up
Also i ran the "check root kit" and it told me that bind was compromized on prot 5190..
have you seen this? what tod to fix?
Tim