0

Possible Duplicate:
My server's been hacked EMERGENCY

My Linux (CentOS 5.x) machine seem to have been attacked. Port scanning activities were traced to it. However, the ports (to be) scanned were only 8080. As a temporary measure, I have updated the iptables rules to drop all outbound traffic from the machine to port 8080.

However, 1. I would like to ascertain if indeed my machine has been compromised. 2. Also if it is really port scanning, would it be restricted to just a single port 8080? 3. And most importantly, should the machine be infected with some malware, causing the port scans, how please can I make it clean again.

Thanks

Community
  • 1
pi.
  • 249
  • 3
  • 9
  • I know this may not seem like a "duplicate" of the question we've linked it to, but the steps are the same -- Your machine is doing something it shouldn't be, so assume it's compromised and work from there. Re: only scanning port 8080, that's often considered an "interesting" port (admin panels are run there frequently, some proxy servers listen on that port, etc.) -- Definitely on the list of ports that I would scan if I were snooping around :) – voretaq7 Jul 28 '12 at 04:18

1 Answers1

0

There are a many different ways an attacker could be using your system to attack other sites, I'll cover a couple of the more common ones.

Someone has gained remote shell access to your system.

This can happen with a weak SSH password, poor firewall rules or exploitable programs running on your server. The first thing I would check is (with the iptables block removed for a short period) is the output of netstat -anp. If you see suspicious outbound tcp/8080 connections, grab the PID from the last column and see what process they are originating.

If the offending process is httpd, nginx, etc. proceed to the next section, otherwise you should take a look at this question:

How do I deal with a compromised server?

Someone is exploiting a script you have hosted by your webserver.

If the offending process is a webserver, or something like FastCGI this is likely the case. This is very common with PHP and Perl::CGI, but can happen with any language of course. A script you are using is written poorly, or the version of Perl/PHP/etc. is vulnerable to an attack. You can use the access logs (e.g. /var/log/httpd/access_log) to see which script is being repeatedly hit (and from where!) and remove or fix it.

In any event, you should patch your server regularly as well.

Community
  • 1
Kyle Smith
  • 9,683
  • 1
  • 31
  • 32