our server are hacked :(

[haneo]

please i am lost our

http://www server

is hacked.

ie when i scan it's ports i can see the port :
587 submission
3306 mysql
113 auth

Who i can bloc those ports ?

I know that our

http://www server

is hacked because the man page were changed, i had found many suspicious files and excecutables i have delete theme and rinstalled wu-ftpd 2.6.2 but after 18h the wu-ftpd is no responding and when i restart it no change!!!! i suppose he has changed the ftpd's files.


I am lost and with no idea ((((((((((((((((((((((((((((((((((((((((((((

 

[pcunix]

If you have been hacked, you really can't trust anything and your safest course is to reinstall from scratch.

Blocking ports at this point is too late if the attacker is truly sophisticated.

It's possible, of course, that this is really a relatively naive attack that you could fix up easily- but how would you know that it's actually not someone very sophisticated who has made it LOOK naive?

Reinstall.
Tony Lawrence
SCO Unix/Linux Resources

http://pcunix.com

tony@pcunix.com

 

[ifincham]

Hi,

All those ports could be in quite legitimate use so you wouldn't necessarily block them anyway.

Port 587 is the default port for the Message Submission protocol (RFC 2476). Sendmail probably has that port open unless you have confgured it with FEATURE(`no_default_msa'). See -->

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2476.html#sec-3

.

Port 3306 is a default port for the mysql database to listen on.

Port 113 is used for ident which, again, is often used by mail servers to authenticate senders. See -->

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1413.html

.

However, remember that the best way to stay hidden is to pretend to be something that looks normal. When you use a portscan and it says port 3306 is in use by 'mysql' it really only means that port 3306 is open and the standard look-up of that same number in /etc/services says 'mysql'. In fact, it could be anything. If you do :

/usr/sbin/lsof -i TCP:3306

(etc)

You should see whats listening on that port.

If you're certain you've been compromised then the safest is a 100% reinstall of the binaries to make sure that you don't have a trojaned versions of an ostensibly normal files lying around. Then use an intrusion detection system like tripwire -->

http://www.tripwire.org/

.

Hope this helps

 

[marsd]

Yeah, wu-ftpd with anonymous logins enabled is really
bad news...
There are advisories out on a globbing bug for wu-ftpd
and it is a problem right now. There are remote root
exploits available for the kiddiez for this and the ssh
crc sploit. Also there is a problem with any login
(as in bin/login) service available to users publicly,
and a glibc bug for any app that offers globbing(bsd ftp)
functionality via glibc.
See

http://www.securiteam.com

The other advice in the posts above is good:
IMHO you need to reinstall. Save what of your
config you can.
If you must keep your current installation
You could run this tool:

http://www.chkrootkit.org,

for a little piece of mind but it is far from
perfect. You will need clean system binaries for
this mounted on cdrom, or on a file share.

As pcunix said: There is no certainty after the
compromise: You can resecure your box hard and
an undetected backdoor and trojaned binaries undoes
it all..

A final piece of advice: subscribe to a security list!