been hacked too

3 posts / 0 new
Last post
#1 Tue, 08/09/2016 - 01:25
briand

been hacked too

had posted this at bottom of other hacked thread

both my servers have been hit too my real server and my home/backup server. not sure if it is the same issue or not,

Webmin version 1.801 Virtualmin version 5.04 Operating system CentOS Linux 6.8

I run chkrootkit and see 'suckit' infected.: Searching for Suckit rootkit... Warning: /sbin/init INFECTED

I see that I had a (hacked) script running on server /etc/webmin/status/monitor.pl and it produces files in /tmp/.webmin

d---------     2 root root  4096 Aug  7 11:25 204159_2211_2_status.pl
d---------     2 root root  4096 Aug  7 11:25 24501_2089_2_monitor.pl
d---------     2 root root  4096 Aug  7 11:10 248937_25009_2_status.pl
d---------     2 root root  4096 Aug  7 11:45 289317_6865_2_status.pl
d---------     2 root root  4096 Aug  7 11:15 333563_32736_2_status.pl
d---------     2 root root  4096 Aug  7 11:15 371546_32619_2_monitor.pl
d---------     2 root root  4096 Aug  7 11:30 469862_3129_2_monitor.pl
d---------     2 root root  4096 Aug  7 11:20 474562_1179_2_monitor.pl 

Selinux has caused major problems too, still trying to sort that out

I rebooted my home server and now unable to boot up it due to kernel panic. I can cet access through terminal but only in limited shell mode. tried USB live distro but still cannot get in.

I also get rm command not found. means I can't delete any of the hackers files. so now I have a script changing permissions to 000 that stops the files getting accessed.

Tue, 08/09/2016 - 01:27
briand

how were they able to hack into the /sbin/init file ? seems they used Selinux security which caused home server to boot up with a kernel panic - not syncing : Attempted to kill init!

I also found a .scan folder and a 'scan' user

does look like I'll have to setup both servers from scratch now.

Tue, 08/09/2016 - 01:30
briand

have my home server back.

had to disable Selinux. and also clearing SElinux bit form every file on the file system. and finally managed to get booted up.

now need to check logs to see if hacker is still in. then once backups done (this is supposed to me my backup server) will have to reformat/rebuild

p.s. got I rid of that ugly theme ;o)

Topic locked