My server was hacked.. :(
 

They created a new user in mail group.. and installed a program called john from openwall.com locate at: ftp://dl.openwall.com:21/pvt/3d9a566...x-1.7.2.tar.gz
i detected this becouse my server was slow.. when i checked the proces was around 10 "john" top rocesses runing..

anybody know what is this program john they installed and runed on my server?

i still don't know how they entered on my server.. if they created a new user then they had root access or the user can be created under other user?

i've deleted the new user they created, changed the root and ftp password..what should i do next?

no advice? :(

Being as you're location is France, maybe try doing what the Fench do best and simply surrender?

wonder in John is a brute force password cracker??? john the ripper

best reply ever. :1orglaugh :1orglaugh :1orglaugh

Since you don't know how they got in you are looking at a pretty ugly situation. First I would check to see if you are running any old scripts like an outdated version of PhpBB. Often those are ways your typical script kiddie gets in.

When you do find the hole, patch it and move on. If they were in there as root, then just pony up the money for an OS reinstall and put your backup on then fix the security leak.

-A

you better contact your server admin asap !

yup it's a password cracker. More info here: http://www.openwall.com/john/pro/

If I were you and you aren't experienced in server security I'd get a professional to look at your server. Pay your host to secure it.

yeah..is john the ripper.. but since they cold create a new user i asume that they got already the password in order to create this user.. why wold they need a brute force password cracker anymore then?

Where are you hosted and have you contacted them about this?

Ray

dude i'm crying :1orglaugh :1orglaugh :1orglaugh :1orglaugh

:1orglaugh :1orglaugh :1orglaugh :1orglaugh :1orglaugh

Oh man john is sooo old school, takes me back :)

The answer is, for when you patch whatever vulnerable daemon gave them shell access in the first place, they can simply login as a normal user (on a multiuser box most people won't change those passwords after a compromise) and run whatever rootshell they left planted around your system.

Box is fucked, get a new one and copy your sites over.

try to find him, then slay him and at the end sue him

:1orglaugh :1orglaugh :1orglaugh

Run a root check:

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.47

At command prompt type: make sense


To run chkrootkit

At command prompt type: /root/chkrootkit-0.47/chkrootkit

If you clean then remove the account on the server and start it over. Any page can be a back door so really you should start it over.