0

My provider sent me an email stating that my root server seems to have been misused for attacking other systems.

How do I check if this is true and my system is compromised?

I was told I have 4 days to fix the problem and all the info I was supplied with are the logs further down from my provider.

The server runs Debian Squeeze and is always up-to-date. Very few users have ssh access and only via a jailkit so there isn't much they can do. The web server, apache2, is running via suexec and FastCGI so if one site is compromised, the other are still safe. Interesting enough, the IP reported to have been 85.214.249.*** is my second IP which I only received and activated a week ago.

rkhunter is running daily on my server, I just did a full check again followed by a clamscan. No results. I compared the log entries provided with my own syslog entries but nothing. All I have is a ton of incoming traffic that apf-firewall does block since it is not legitimate traffic. I can't find either any of these dreamhost servers nor any of their IPs in any of my logs.

| Attacker's IP | Timestamp (Pacific Time)      | Targeted Server       | Attack ID     | Attack Information    |
 -------------------------------------------------------------------------------------------------------
| 85.214.249.***        | 2012-04-16 11:15:01   | johnson.dreamhost.com | 28775675      | e107 BBCode Arbitrary PHP Code Execution Vulnerability        |
| 85.214.249.***        | 2012-04-16 11:12:55   | unuk.dreamhost.com    | 28802766      | e107 BBCode Arbitrary PHP Code Execution Vulnerability        |
| 85.214.249.***        | 2012-04-16 10:50:29   | nationals.dreamhost.com | 28784913      | e107 BBCode Arbitrary PHP Code Execution Vulnerability        |
| 85.214.249.***        | 2012-04-16 11:03:23   | lakers.dreamhost.com  | 28776910      | e107 BBCode Arbitrary PHP Code Execution Vulnerability        |
| 85.214.249.***        | 2012-04-16 11:02:27   | univox.dreamhost.com  | 28803414      | e107 BBCode Arbitrary PHP Code Execution Vulnerability        |
Sven
  • 100,763
Ovidiu Pacuraru
  • 11

2 Answers2

1

First of all if your system is compromised you can't trust your logs. Rootkits are there to make you think everything is running normally. The only way to detect if there is illegitimate traffic residing from your server, is to sniff it once it has left your machine (this can be done with a repeater port on a switch).

So unfortunately this might mean:

Nuke it from orbit!

Community
  • 1
Lucas Kauffman
  • 16,990
0

tcpdump all the outgoing traffic that goes from the IP in question to destination ports 80 and 443. On most systems there normally will be not much of such traffic. If system is still actively trying to attack others, you will probably see a lot of outgoing packets to different hosts.

If you see no traffic, you can be pretty sure that CURRENTLY it isn't attacking, but from that to conclusion that there's no compromise is a very long way. Probably the only way to be sure is to find what WAS the source of the attack traffic.

Since you mention that you got IP only recently, is there a possibility that your ISP still have two machines with that IP ? - Previous owner could configure it statically. Maybe you disable that IP on your system (as you have two IPs, it shoudn't be a problem - configure one IP statically and siable DHCP) and then try to ping the disabled IP. (Though I'm not 100% sure I'm saying anything sane here - have little experience on this topic.)

Sandman4
  • 4,125