My server was hacked.. :( - GoFuckYourself.com

alex79 · 11-04-2006, 01:24 PM

They created a new user in mail group.. and installed a program called john from openwall.com locate at: ftp://dl.openwall.com:21/pvt/3d9a566...x-1.7.2.tar.gz
i detected this becouse my server was slow.. when i checked the proces was around 10 "john" top rocesses runing..

anybody know what is this program john they installed and runed on my server?

i still don't know how they entered on my server.. if they created a new user then they had root access or the user can be created under other user?

i've deleted the new user they created, changed the root and ftp password..what should i do next?

alex79 · 11-04-2006, 01:56 PM

no advice?

WarChild · 11-04-2006, 02:03 PM

Quote:

Originally Posted by alex79

what should i do next?

Being as you're location is France, maybe try doing what the Fench do best and simply surrender?

kaori · 11-04-2006, 02:04 PM

wonder in John is a brute force password cracker??? john the ripper

k0nr4d · 11-04-2006, 03:03 PM

Quote:

Originally Posted by WarChild

Being as you're location is France, maybe try doing what the Fench do best and simply surrender?

best reply ever.

Altheon · 11-04-2006, 03:09 PM

Since you don't know how they got in you are looking at a pretty ugly situation. First I would check to see if you are running any old scripts like an outdated version of PhpBB. Often those are ways your typical script kiddie gets in.

When you do find the hole, patch it and move on. If they were in there as root, then just pony up the money for an OS reinstall and put your backup on then fix the security leak.

-A

Vlad · 11-04-2006, 03:16 PM

you better contact your server admin asap !

LukieD · 11-04-2006, 03:29 PM

yup it's a password cracker. More info here: http://www.openwall.com/john/pro/

If I were you and you aren't experienced in server security I'd get a professional to look at your server. Pay your host to secure it.

alex79 · 11-04-2006, 03:44 PM

Quote:

Originally Posted by kaori

wonder in John is a brute force password cracker??? john the ripper

yeah..is john the ripper.. but since they cold create a new user i asume that they got already the password in order to create this user.. why wold they need a brute force password cracker anymore then?

Ray@TastyDollars · 11-04-2006, 03:49 PM

Where are you hosted and have you contacted them about this?

Ray

pr0 · 11-04-2006, 04:02 PM

Quote:

Originally Posted by WarChild

Being as you're location is France, maybe try doing what the Fench do best and simply surrender?

dude i'm crying

Jarmusch · 11-04-2006, 04:12 PM

Quote:

Originally Posted by WarChild

Being as you're location is France, maybe try doing what the Fench do best and simply surrender?

fuzebox · 11-04-2006, 05:19 PM

Quote:

Originally Posted by alex79

yeah..is john the ripper.. but since they cold create a new user i asume that they got already the password in order to create this user.. why wold they need a brute force password cracker anymore then?

Oh man john is sooo old school, takes me back

The answer is, for when you patch whatever vulnerable daemon gave them shell access in the first place, they can simply login as a normal user (on a multiuser box most people won't change those passwords after a compromise) and run whatever rootshell they left planted around your system.

Box is fucked, get a new one and copy your sites over.

NemesiS876 · 11-04-2006, 05:22 PM

try to find him, then slay him and at the end sue him

aico · 11-04-2006, 05:23 PM

Quote:

Originally Posted by WarChild

Being as you're location is France, maybe try doing what the Fench do best and simply surrender?

chaze · 11-04-2006, 05:26 PM

Run a root check:

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.47

At command prompt type: make sense

To run chkrootkit

At command prompt type: /root/chkrootkit-0.47/chkrootkit

If you clean then remove the account on the server and start it over. Any page can be a back door so really you should start it over.

11-04-2006, 01:24 PM	#1
alex79 Confirmed User Join Date: Jun 2002 Location: france Posts: 996	My server was hacked.. :( They created a new user in mail group.. and installed a program called john from openwall.com locate at: ftp://dl.openwall.com:21/pvt/3d9a566...x-1.7.2.tar.gz i detected this becouse my server was slow.. when i checked the proces was around 10 "john" top rocesses runing.. anybody know what is this program john they installed and runed on my server? i still don't know how they entered on my server.. if they created a new user then they had root access or the user can be created under other user? i've deleted the new user they created, changed the root and ftp password..what should i do next? __________________

11-04-2006, 01:56 PM	#2
alex79 Confirmed User Join Date: Jun 2002 Location: france Posts: 996	no advice? __________________

11-04-2006, 03:49 PM	#10
Ray@TastyDollars www.TastyDollars.com Join Date: May 2002 Location: Montreal Posts: 6,797	Where are you hosted and have you contacted them about this? Ray __________________ The nets best interracial and cuckold site The nets hottest teen site ICQ me: 161 375 873

11-04-2006, 02:04 PM	#4
kaori Confirmed User Join Date: Apr 2005 Location: Montreal Posts: 1,569	wonder in John is a brute force password cracker??? john the ripper

11-04-2006, 03:09 PM	#6
Altheon Confirmed User Join Date: May 2004 Posts: 506	Since you don't know how they got in you are looking at a pretty ugly situation. First I would check to see if you are running any old scripts like an outdated version of PhpBB. Often those are ways your typical script kiddie gets in. When you do find the hole, patch it and move on. If they were in there as root, then just pony up the money for an OS reinstall and put your backup on then fix the security leak. -A

11-04-2006, 03:16 PM	#7
Vlad Confirmed User Join Date: Dec 2002 Location: gone Posts: 2,864	you better contact your server admin asap !

11-04-2006, 03:29 PM	#8
LukieD Confirmed User Join Date: Dec 2001 Location: London Posts: 927	yup it's a password cracker. More info here: http://www.openwall.com/john/pro/ If I were you and you aren't experienced in server security I'd get a professional to look at your server. Pay your host to secure it.

11-04-2006, 05:22 PM	#14
NemesiS876 Confirmed User Industry Role: Join Date: May 2006 Posts: 7,436	try to find him, then slay him and at the end sue him

11-04-2006, 05:26 PM	#16
chaze Confirmed User Industry Role: Join Date: Aug 2002 Posts: 9,752	Run a root check: To install chrootkit, SSH into server and login as root. At command prompt type: cd /root/ At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz At command prompt type: tar xvzf chkrootkit.tar.gz At command prompt type: cd chkrootkit-0.47 At command prompt type: make sense To run chkrootkit At command prompt type: /root/chkrootkit-0.47/chkrootkit If you clean then remove the account on the server and start it over. Any page can be a back door so really you should start it over.