vicidial.org

VICIDIAL astGUIclient discussion forum
http://forum.eflo.net/VICIDIALforum/

Server Hacked

http://forum.eflo.net/VICIDIALforum/viewtopic.php?f=4&t=40322

Page 1 of 1

Server Hacked

PostPosted: Thu Aug 06, 2020 5:17 pm
by mubeen
Hi,

ViciBox v.8.0.1
VERSION: 2.14-761a
BUILD: 200708-1033

My crontab entries were getting replaced by * * * * * /tmp/div3 and CPU was getting high
Upon checking div 3, I found it was IRCBOT

Can anyone guide me how to remove that and what measures can I take to prevent it happening in future
Currently fail2ban for ssh and asterisk is running

Re: Server Hacked

PostPosted: Thu Aug 06, 2020 5:37 pm
by williamconley
1) Get a copy of your database off the server.

2) Wipe it clean and start over, reinstall that database after the full reinstall

3) WHITELIST lockdown the server. Either use the Vicibox provided method or Dynamic Good Guys (which has instructions for whitelisting ... before installation of DGG)

4) Note that there are NO "one size fits all" instructions to remove an infection from a server any more than there is a drug that will cure all illnesses. Either pay a professional to wipe it or just reinstall.

Re: Server Hacked

PostPosted: Sat Aug 08, 2020 1:59 pm
by mubeen
Thank You William for your guidance but we were able to find and remove the Trojan. I never worked with DGG but will explore it. Furthermore I usually disable vici FW instead of configuring it after installing f2b which I probably shouldn't.

Re: Server Hacked

PostPosted: Sat Aug 08, 2020 3:54 pm
by carpenox
have you ran chrootkit or clamscan yet?

Re: Server Hacked

PostPosted: Sat Aug 08, 2020 11:09 pm
by williamconley
mubeen wrote:... we were able to find and remove the Trojan ...


Please correct this to:

mubeen wrote:... we were able to find and remove A Trojan ...


You'll never know if you got them all until you wipe and start over. If you do not intend to wipe it, at least set up a cron job checking for files with names or in places that would tend to indicate that particular infection. Not that the trojan would be required to use the same filenames or patterns, but they often do use the same ones if they put in a sleeper/dormant wake up call.

In the end, however, we've never suggested to a client that they are "safe" without a re-install. To date we've only had one client actually satisfied with "yep, it's clean" and that client paid $1000/hour to specialist who traced the infection back through two networks and a VPN router to the source somewhere in Canada. And we still set up a watchdog for similar files (just in case). They are going on Six years clean on that server now. Happily. But it cost them several thousand dollars (which is a tiny percentage of their daily take, so it was worth it for them!)

Re: Server Hacked

PostPosted: Tue Aug 11, 2020 1:25 pm
by mubeen
carpenox wrote:have you ran chrootkit or clamscan yet?


Yes, we ran clamscan but not chkrootkit, will run that too

williamconley wrote:You'll never know if you got them all until you wipe and start over.


Totally agreed, Thank you for guidance
All times are UTC - 5 hours
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/