Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: calisun on December 04, 2018, 06:35:16 PM
-
I had some issues for a while with PHP as can be seen in my post here: https://forums.contribs.org/index.php/topic,53598.0.html
And recently I have found out that I had similar issues when trying to export a SQL table using PHPMyAdmin (I would also get blank screen)
I started to dig around to see what is going on, I have discovered that a site I had on my server (Which I have forgotten about and was neglected) was based on PHP Software from 2008. Since I have forgotten about that site, it was not updated and it got hacked. Site is offline now.
I am able to use Horde by setting PHP Software Collections Contrib to PHP71
Also, after uninstalling and re-installing PHPMyAdmin, it seems to work fine also.
My question is, how do I find out what they got into and what was changed on the server, so I can fix it and get default PHP to function properly.
-
Others will give you betrer advice than me but logs are the place to look.
However, I think the suggestions will be to first take it offline to check the damage.
It may be hard to detect exactly what has been done, and if you are silll exposed, so a reinstall/restore may be required.
You can search the interwebs for general advice on dealing with a compromised server.
-
If an attacker has been able to actually compromise files on your system you probably need to reinstall from scratch and then transfer only your data from the existing system.
However, it could be that you simply installed an rpm related to the default php from a non-standard repository, or have a non-standard config somewhere.
In case this helps, here is info related to the default php and the default php rpms on my up-to-date SME 9.2 server:
php cli location and version
# which php
/usr/bin/php
# php -v
PHP 5.3.3 (cli) (built: Mar 22 2017 12:27:09)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
default php rpms, versions, sizes, and source repositories
# for f in $(rpm -qa php-*); do pkgs="$pkgs $f"; done; yum info $pkgs |egrep "^$|Name|Arch|Version|Release|Size|From repo"
Name : php-cli
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 6.2 M
From repo : base
Name : php-common
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 2.9 M
From repo : base
Name : php-gd
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 324 k
From repo : base
Name : php-imap
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 100 k
From repo : base
Name : php-ldap
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 52 k
From repo : base
Name : php-mbstring
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 2.1 M
From repo : base
Name : php-mysql
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 216 k
From repo : base
Name : php-pdo
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 168 k
From repo : base
Name : php-pear
Arch : noarch
Version : 1.9.4
Release : 5.el6
Size : 2.2 M
From repo : base
Name : php-pear-Auth-SASL
Arch : noarch
Version : 1.0.6
Release : 1.el6
Size : 51 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Cache
Arch : noarch
Version : 1.5.6
Release : 1.el6
Size : 160 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-DB
Arch : noarch
Version : 1.7.13
Release : 3.el6
Size : 688 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Date
Arch : noarch
Version : 1.4.7
Release : 5.el6
Size : 402 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-File
Arch : noarch
Version : 1.4.0
Release : 1.el6
Size : 35 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-File-CSV
Arch : noarch
Version : 1.0.0
Release : 2.el6
Size : 86 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-File-Util
Arch : noarch
Version : 1.0.0
Release : 2.el6
Size : 26 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-HTTP
Arch : noarch
Version : 1.4.1
Release : 5.el6
Size : 38 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-HTTP-Request
Arch : noarch
Version : 1.4.4
Release : 2.el6
Size : 73 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Log
Arch : noarch
Version : 1.12.7
Release : 1.el6
Size : 246 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-MDB2
Arch : noarch
Version : 2.5.0
Release : 0.9.b5.el6
Size : 804 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Mail
Arch : noarch
Version : 1.2.0
Release : 1.el6
Size : 106 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Mail-Mime
Arch : noarch
Version : 1.8.4
Release : 1.el6
Size : 157 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Net-DIME
Arch : noarch
Version : 1.0.2
Release : 1.el6
Size : 55 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Net-FTP
Arch : noarch
Version : 1.3.7
Release : 4.el6
Size : 150 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Net-SMTP
Arch : noarch
Version : 1.6.1
Release : 1.el6
Size : 58 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Net-Socket
Arch : noarch
Version : 1.0.10
Release : 1.el6
Size : 21 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Net-URL
Arch : noarch
Version : 1.0.15
Release : 4.el6
Size : 26 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-SOAP
Arch : noarch
Version : 0.12.0
Release : 4.el6
Size : 358 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-Services-Weather
Arch : noarch
Version : 1.4.5
Release : 2.el6
Size : 284 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-XML-Parser
Arch : noarch
Version : 1.3.4
Release : 1.el6
Size : 75 k
From repo : anaconda-base-201512091034.x86_64
Name : php-pear-XML-Serializer
Arch : noarch
Version : 0.20.2
Release : 1.el6
Size : 223 k
From repo : anaconda-base-201512091034.x86_64
Name : php-xml
Arch : x86_64
Version : 5.3.3
Release : 49.el6
Size : 307 k
From repo : base
Selected entries from httpd.conf (Ignore the entries related to my ibays, of course)
# egrep "Directory|AddHandler|php" /etc/httpd/conf/httpd.conf |grep -v "^\w*#"
LoadModule php5_module modules/libphp5.so
DirectoryIndex index.htm index.html index.shtml index.cgi
DirectoryIndex index.htm index.html index.shtml index.cgi index.php index.php3 index.phtml
<IfModule mod_php4.c>
AddIcon /icons/php4.gif .php3 .php4 .php .phtml
AddIcon /icons/phps.gif .phps
AddHandler cgi-script .cgi
AddHandler server-parsed .shtml
AddHandler imap-file map
ScriptAlias /phpscl-cgi /usr/bin/phpscl
<Directory /usr/bin/phpscl>
</Directory>
<Directory />
</Directory>
<Directory /home/httpd/html/horde>
<FilesMatch "test.php$">
AddType application/x-httpd-php .php .php3
php_value include_path '/usr/share/pear-addons:/usr/share/pear'
php_flag magic_quotes_gpc off
php_flag track_vars on
php_flag session.use_trans_sid off
php_admin_flag allow_url_fopen on
</Directory>
<Directory /home/httpd/html/horde/config>
</Directory>
<Directory /home/httpd/html/horde/lib>
</Directory>
<Directory /home/httpd/html/horde/locale>
</Directory>
<Directory /home/httpd/html/horde/templates>
</Directory>
<Directory /home/httpd/html/horde/scripts>
</Directory>
<Directory /home/httpd/html/horde/imp/config>
</Directory>
<Directory /home/httpd/html/horde/imp/lib>
</Directory>
<Directory /home/httpd/html/horde/imp/locale>
</Directory>
<Directory /home/httpd/html/horde/imp/templates>
</Directory>
<Directory /home/httpd/html/horde/ingo/config>
</Directory>
<Directory /home/httpd/html/horde/ingo/lib>
</Directory>
<Directory /home/httpd/html/horde/ingo/locale>
</Directory>
<Directory /home/httpd/html/horde/ingo/templates>
</Directory>
<Directory "/usr/lib64/GNUstep/SOGo/">
</Directory>
<Directory /home/e-smith/files/server-resources>
</Directory>
<Directory /home/httpd/html/horde/turba/config>
</Directory>
<Directory /home/httpd/html/horde/turba/lib>
</Directory>
<Directory /home/httpd/html/horde/turba/locale>
</Directory>
<Directory /home/httpd/html/horde/turba/templates>
</Directory>
<Directory /var/www/icons>
</Directory>
<Directory /var/www/sarg>
</Directory>
<Directory /home/e-smith/files/ibays/Primary/html>
</Directory>
<Directory /home/e-smith/files/ibays/Primary/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/Primary/files>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/html>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/files>
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/html>
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/files>
</Directory>
<Directory /home/e-smith/files/ibays/tasks/html>
</Directory>
<Directory /home/e-smith/files/ibays/tasks/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/tasks/files>
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/html>
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/files>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/html>
AddHandler phpscl-cgi .php
Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/html>
AddHandler phpscl-cgi .php
Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/tasks/html>
AddHandler phpscl-cgi .php
Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/html>
AddHandler phpscl-cgi .php
Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/Primary/html>
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps
php_admin_value open_basedir /home/e-smith/files/ibays/Primary/
</Directory>
<Directory /home/e-smith/files/ibays/bugs/html>
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps
php_admin_value open_basedir /home/e-smith/files/ibays/bugs/
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/html>
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps
php_admin_value open_basedir /home/e-smith/files/ibays/smokeping/
</Directory>
<Directory /home/e-smith/files/ibays/tasks/html>
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps
php_admin_value open_basedir /home/e-smith/files/ibays/tasks/
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/html>
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps
php_admin_value open_basedir /home/e-smith/files/ibays/wordpress/
</Directory>
Checksums for apache "modules"
# shasum /usr/lib64/httpd/modules/*
8bdd401d88ea89bf055c209925f620c6439a2e65 /usr/lib64/httpd/modules/libphp54-php5.so
fc6b444854531d0bec063ed5df9ef0f785980c93 /usr/lib64/httpd/modules/libphp55-php5.so
3d07766ee31fcc4fb9335d4db4bc168cec3321c1 /usr/lib64/httpd/modules/libphp56-php5.so
3e0284d3cc8db9052116348b7bd512676703cfb9 /usr/lib64/httpd/modules/libphp5.so
f79ef722a9190505f4cc2a329c2ee5067086c6a7 /usr/lib64/httpd/modules/libphp70.so
edb1db58295bae7f83d5317f192d1ee30fed1558 /usr/lib64/httpd/modules/libphp71.so
e9a282120c284452f5540c8c2d199efdcc181814 /usr/lib64/httpd/modules/mod_actions.so
30634176434de65926b6c8f4257ca3d9967a51b2 /usr/lib64/httpd/modules/mod_alias.so
36537b2029981c0e169397344d7d19bd48a69920 /usr/lib64/httpd/modules/mod_asis.so
d8d3d3f205b4047cef5fd1a83289d59e74019d74 /usr/lib64/httpd/modules/mod_auth_basic.so
23b1c19be41a75eeb8acc8d64b9685bfbcc78261 /usr/lib64/httpd/modules/mod_auth_digest.so
39e3a86c5c7e701b31a735709fe5a85aab72c546 /usr/lib64/httpd/modules/mod_authn_alias.so
ce62fa54f18a600c132a586a8b8532fe5f86d03a /usr/lib64/httpd/modules/mod_authn_anon.so
e43a340196b61528b1cbc39efe801077dbda6c15 /usr/lib64/httpd/modules/mod_authn_dbd.so
404e9a8fc23c970bfd6dc389982221a66ab9445d /usr/lib64/httpd/modules/mod_authn_dbm.so
ff2a15240126478af771842ad517a8d47ae112ba /usr/lib64/httpd/modules/mod_authn_default.so
40c97c528c01a42b73ea20815d46cec0d311e592 /usr/lib64/httpd/modules/mod_authn_file.so
249f16e76410df5cd710582ff63f077c719da5bb /usr/lib64/httpd/modules/mod_authnz_external.so
268aef351a42feedf874aefd9fd2e156fbd4cd0f /usr/lib64/httpd/modules/mod_authnz_ldap.so
24df1ec092e9443b36cdb91615aa908a5acaef67 /usr/lib64/httpd/modules/mod_auth_tkt.so
a0fece1ee0ef75dd69e8c4364bea15406631b202 /usr/lib64/httpd/modules/mod_authz_dbm.so
17ed8fda236174f1b582f28fe7a82757fd2aa968 /usr/lib64/httpd/modules/mod_authz_default.so
a07f678461075da7a820df46ed10e714e6f67e38 /usr/lib64/httpd/modules/mod_authz_groupfile.so
4466d3ec4780e1a08467a353c33b417575f484e3 /usr/lib64/httpd/modules/mod_authz_host.so
9cf20ddc1bec004e2fb854cb7f006421566f86f1 /usr/lib64/httpd/modules/mod_authz_owner.so
738c8f4764de1fadebde9b30fcf1bb7ccbe4464e /usr/lib64/httpd/modules/mod_authz_user.so
e817a6886d4f731da585c5ae168fb679aaedb0eb /usr/lib64/httpd/modules/mod_autoindex.so
af977fdcecb60fb44393dec28446ae4ef19fa04b /usr/lib64/httpd/modules/mod_cache.so
7dc7278d639cf45b62307f96f73ed4633945cce5 /usr/lib64/httpd/modules/mod_cern_meta.so
67c0749d1c8cc27f2c949f6f8b0d6c5d00263086 /usr/lib64/httpd/modules/mod_cgid.so
113fb6bd07724881d7f9e37cc01196349429fb8c /usr/lib64/httpd/modules/mod_cgi.so
d8980ade3bae0a14e57b67696642be907c3cb8f6 /usr/lib64/httpd/modules/mod_dav_fs.so
d75ffcbe9ced3b51bbef7ad8ea008962238d386a /usr/lib64/httpd/modules/mod_dav.so
ba0df52c659e96b3e7d0b3048d6383f1665d55cf /usr/lib64/httpd/modules/mod_dbd.so
403aa542cd2a3cf4935c4e6b552f4c596443acff /usr/lib64/httpd/modules/mod_deflate.so
eb8e20547a43cfdcd74db6b40ee61cd1a2ad73f3 /usr/lib64/httpd/modules/mod_dir.so
f1a4bb73b25f0985886e5cb0715b8c2f48333a80 /usr/lib64/httpd/modules/mod_disk_cache.so
0936522ffca5699e5a2445adda50f405653b3626 /usr/lib64/httpd/modules/mod_dumpio.so
78ab2aaa6379a505cc24cb3a7497507348550572 /usr/lib64/httpd/modules/mod_env.so
097dd3a9dd07f5b6a06d832efa01654026fe4f03 /usr/lib64/httpd/modules/mod_expires.so
0cfe6944495fa3148d189c4a80d0326f4266c6b3 /usr/lib64/httpd/modules/mod_ext_filter.so
0ad8e437d2f5b85c6a0e51cb52a86420308b50b8 /usr/lib64/httpd/modules/mod_filter.so
df639783ea644d351ef59d0e515ecdaac7d70ddb /usr/lib64/httpd/modules/mod_headers.so
8272018733ae7105db1233ed25a2ca5d07e09f0b /usr/lib64/httpd/modules/mod_ident.so
dce850575d57c2d35140938d1d0940cce2d21300 /usr/lib64/httpd/modules/mod_include.so
b7f303cd4c7a144c33c8bc917d0df6c6be82da40 /usr/lib64/httpd/modules/mod_info.so
f0838b6126f740788d84642950b4a252c2dc2dac /usr/lib64/httpd/modules/mod_ldap.so
be3a2dc06c34a237e9b086946886bf4d9574b10b /usr/lib64/httpd/modules/mod_log_config.so
bdf96b7b337a46efae9d3c706016b811ece6c7d1 /usr/lib64/httpd/modules/mod_log_forensic.so
4fba00551e09cbbd1d34e66af8de6fa94d2dc2d7 /usr/lib64/httpd/modules/mod_logio.so
2cd663c9fc3ca613435f3651d14693749278d87b /usr/lib64/httpd/modules/mod_mime_magic.so
389ac407e5fb26ab6d8b2446d8e5c2c04503bae5 /usr/lib64/httpd/modules/mod_mime.so
ac45360aa88c6a96987eb34d3fb833ae7ca278a2 /usr/lib64/httpd/modules/mod_negotiation.so
e02d06587e7fd4669b7ffbc062982fcf0a2a6b68 /usr/lib64/httpd/modules/mod_perl.so
4d197f401fbdf0e666bb56814772f3ba9f1abcae /usr/lib64/httpd/modules/mod_proxy_ajp.so
a5694effd1545d343938becf5da886b40bf6e266 /usr/lib64/httpd/modules/mod_proxy_balancer.so
cd460892e580ef9c4786aaf6d58e6552a50b4488 /usr/lib64/httpd/modules/mod_proxy_connect.so
bb18221ff7d59506d921b20042d359a3491fc6f7 /usr/lib64/httpd/modules/mod_proxy_ftp.so
6ed8f606d3514048374d209f4c556abedfcbc60a /usr/lib64/httpd/modules/mod_proxy_http.so
a9fb9b21b6208c9891674d294cbb6992af859e2a /usr/lib64/httpd/modules/mod_proxy_scgi.so
dd2196e1a67640597de1207322b648a2eaf73c5e /usr/lib64/httpd/modules/mod_proxy.so
d80a0971c5c3a7680459359a055217dd2bfd7051 /usr/lib64/httpd/modules/mod_reqtimeout.so
f6573271b822057a1c3aa546195f750ffa1a3441 /usr/lib64/httpd/modules/mod_rewrite.so
f5f0c35f0d2e96d44effae2f0ae75869f20087f6 /usr/lib64/httpd/modules/mod_setenvif.so
1585e4525643d07a4ea034aeaae39fa377089cdc /usr/lib64/httpd/modules/mod_speling.so
2d868d1dcade8cdecd975a42ff2fc6262736c9d6 /usr/lib64/httpd/modules/mod_ssl.so
988f72bfc2aa1a83ba5db1c6ab52c2b3221d5556 /usr/lib64/httpd/modules/mod_status.so
dc143ba0503329e6d5d96e78d3c040f1a203299d /usr/lib64/httpd/modules/mod_substitute.so
8094e2b57c1c52bf5a006697d7f4c781102c3b28 /usr/lib64/httpd/modules/mod_suexec.so
e7242702208c52686f0146ebe7247ff2c58e73d7 /usr/lib64/httpd/modules/mod_unique_id.so
ebc4615518434c3d444424fd18293795738cc31c /usr/lib64/httpd/modules/mod_userdir.so
b213e1ff036bd57d392af3fb42b21ab892c12a82 /usr/lib64/httpd/modules/mod_usertrack.so
0917bdaba68640ef387e3ea31ed4fecb49eed80d /usr/lib64/httpd/modules/mod_version.so
0ae2dac28f2468b202e491eef4629e7beba996c8 /usr/lib64/httpd/modules/mod_vhost_alias.so
yum activity related to php
# grep -i ": php-" /var/log/yum/yum.log
Feb 19 13:53:49 Updated: php-common-5.3.3-48.el6_8.x86_64
Feb 19 13:53:51 Updated: php-cli-5.3.3-48.el6_8.x86_64
Feb 19 13:53:56 Updated: php-pdo-5.3.3-48.el6_8.x86_64
Feb 19 13:56:36 Updated: php-gd-5.3.3-48.el6_8.x86_64
Feb 19 13:57:05 Updated: php-5.3.3-48.el6_8.x86_64
Feb 19 13:57:19 Updated: php-mysql-5.3.3-48.el6_8.x86_64
Feb 19 13:57:21 Updated: php-imap-5.3.3-48.el6_8.x86_64
Feb 19 13:57:23 Updated: php-ldap-5.3.3-48.el6_8.x86_64
Feb 19 13:57:24 Updated: php-mbstring-5.3.3-48.el6_8.x86_64
Feb 19 13:57:25 Updated: php-xml-5.3.3-48.el6_8.x86_64
Apr 07 07:44:27 Updated: php-common-5.3.3-49.el6.x86_64
Apr 07 07:44:31 Updated: php-pdo-5.3.3-49.el6.x86_64
Apr 07 07:44:33 Updated: php-cli-5.3.3-49.el6.x86_64
Apr 07 07:45:37 Updated: php-gd-5.3.3-49.el6.x86_64
Apr 07 07:45:54 Updated: php-5.3.3-49.el6.x86_64
Apr 07 07:45:55 Updated: php-mysql-5.3.3-49.el6.x86_64
Apr 07 07:45:57 Updated: php-imap-5.3.3-49.el6.x86_64
Apr 07 07:45:57 Updated: php-ldap-5.3.3-49.el6.x86_64
Apr 07 07:45:58 Updated: php-mbstring-5.3.3-49.el6.x86_64
Apr 07 07:45:59 Updated: php-xml-5.3.3-49.el6.x86_64
httpd, php checksums
# shasum /usr/sbin/httpd /usr/bin/php
4025414508ba153691a7de8fca3ae07ea55cfa84 /usr/sbin/httpd
be15b567e4ae28f8b27bb1f13c0e2a4fcf7d4e68 /usr/bin/php
-
If you have the time and the spare hardware around, you could install a fresh/blank SME server, do all the updates, then start comparing the two systems.
Another item to check is all running processes listening on ports (then research each item and compare the executable to a known-good system):
# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 2755/squid
tcp 0 0 192.168.200.2:3128 0.0.0.0:* LISTEN 2755/squid
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2460/perl
tcp 0 0 0.0.0.0:2202 0.0.0.0:* LISTEN 2626/sshd
tcp 0 0 127.0.0.1:26 0.0.0.0:* LISTEN 1054/perl
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1597/httpd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1991/slapd
tcp 0 0 127.0.0.1:4190 0.0.0.0:* LISTEN 2318/dovecot
tcp 0 0 127.0.0.1:20000 0.0.0.0:* LISTEN 14599/sogod
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2318/dovecot
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN 2253/lpd
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2215/tcpsvd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1991/slapd
tcp 0 0 0.0.0.0:9001 0.0.0.0:* LISTEN 3164/node
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3171/mysqld
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 2784/smbd
tcp 0 0 192.168.200.2:139 0.0.0.0:* LISTEN 2784/smbd
tcp 0 0 0.0.0.0:8843 0.0.0.0:* LISTEN 1597/httpd
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 2172/memcached
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2201/tcpsvd
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 2736/perl
tcp 0 0 127.0.0.1:143 0.0.0.0:* LISTEN 2318/dovecot
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1597/httpd
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2606/perl
tcp 0 0 127.0.0.1:980 0.0.0.0:* LISTEN 2645/httpd-admin
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2441/tcpsvd
tcp 0 0 127.0.0.2:53 0.0.0.0:* LISTEN 2168/dnscache
tcp 0 0 192.168.200.2:53 0.0.0.0:* LISTEN 2151/dnscache
udp 0 0 0.0.0.0:67 0.0.0.0:* 3416/dhcpd
udp 0 0 127.0.0.1:11211 0.0.0.0:* 2172/memcached
udp 0 0 0.0.0.0:59895 0.0.0.0:* 2755/squid
udp 0 0 192.168.200.2:123 0.0.0.0:* 2387/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2387/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2387/ntpd
udp 0 0 192.168.200.255:137 0.0.0.0:* 2774/nmbd
udp 0 0 192.168.200.2:137 0.0.0.0:* 2774/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 2774/nmbd
udp 0 0 192.168.200.255:138 0.0.0.0:* 2774/nmbd
udp 0 0 192.168.200.2:138 0.0.0.0:* 2774/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 2774/nmbd
udp 0 0 0.0.0.0:1812 0.0.0.0:* 2704/radiusd
udp 0 0 0.0.0.0:1813 0.0.0.0:* 2704/radiusd
udp 0 0 127.0.0.1:53 0.0.0.0:* 2298/tinydns
udp 0 0 127.0.0.2:53 0.0.0.0:* 2168/dnscache
udp 0 0 192.168.200.2:53 0.0.0.0:* 2151/dnscache
udp 0 0 :::123 :::* 2387/ntpd
If you've truly been compromised, you also need to locate and examine anything that might run a program on a schedule -- cron, startup scripts, service definitions, php code for all web apps (owncloud has a scheduler option described as 'run when pages are reloaded', IIRC).
Any services accessible from offsite must be thoroughly researched and vetted.
For example:
If ssh is accessible from offsite, is there now an unexplained entry in <user>/.ssh/authorized_keys for any user (bearing in mind that it is possible to have ssh use a different filename for authorized_keys)?
Are there any unexplained user accounts in /etc/passwd or in your ldap?
The original linux hack (from a book I read in the early 90's) was to replace the login executable with either a wrapper or compromised version that saved usernames and passwords for every login for later recovery.
Every executable that is able to communicate over a network - inbound or outbound - might be compromized either in the file itself or in its configuration in a way that could give the attacker renewed/future access to your server...
And, to really light up your day -- if your server has truly been hacked, the attacker may have compromised one or more other systems or devices on your LAN, which would then let them use that system to regain access to the server. If the SME server is your router and dns they could also have snooped credentials out of your browser sessions with offsite servers and services...
-
Nicely summarised...