Hi,
ViciBox v.8.0.1
VERSION: 2.14-761a
BUILD: 200708-1033
My crontab entries were getting replaced by * * * * * /tmp/div3 and CPU was getting high
Upon checking div 3, I found it was IRCBOT
Can anyone guide me how to remove that and what measures can I take to prevent it happening in future
Currently fail2ban for ssh and asterisk is running
Server Hacked
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
6 posts
• Page 1 of 1
Server Hacked
by mubeen » Thu Aug 06, 2020 5:17 pm
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
VERSION: 2.14-667a
BUILD: 180331-1715
- mubeen
- Posts: 116
- Joined: Mon Feb 19, 2018 1:49 pm
Re: Server Hacked
by williamconley » Thu Aug 06, 2020 5:37 pm
1) Get a copy of your database off the server.
2) Wipe it clean and start over, reinstall that database after the full reinstall
3) WHITELIST lockdown the server. Either use the Vicibox provided method or Dynamic Good Guys (which has instructions for whitelisting ... before installation of DGG)
4) Note that there are NO "one size fits all" instructions to remove an infection from a server any more than there is a drug that will cure all illnesses. Either pay a professional to wipe it or just reinstall.
2) Wipe it clean and start over, reinstall that database after the full reinstall
3) WHITELIST lockdown the server. Either use the Vicibox provided method or Dynamic Good Guys (which has instructions for whitelisting ... before installation of DGG)
4) Note that there are NO "one size fits all" instructions to remove an infection from a server any more than there is a drug that will cure all illnesses. Either pay a professional to wipe it or just reinstall.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
- williamconley
- Posts: 20256
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
Re: Server Hacked
by mubeen » Sat Aug 08, 2020 1:59 pm
Thank You William for your guidance but we were able to find and remove the Trojan. I never worked with DGG but will explore it. Furthermore I usually disable vici FW instead of configuring it after installing f2b which I probably shouldn't.
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
VERSION: 2.14-667a
BUILD: 180331-1715
- mubeen
- Posts: 116
- Joined: Mon Feb 19, 2018 1:49 pm
Re: Server Hacked
by carpenox » Sat Aug 08, 2020 3:54 pm
have you ran chrootkit or clamscan yet?
Alma Linux 9.4 | SVN Version: 3889 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
- carpenox
- Posts: 2423
- Joined: Wed Apr 08, 2020 2:02 am
- Location: St Petersburg, FL
Re: Server Hacked
by williamconley » Sat Aug 08, 2020 11:09 pm
mubeen wrote:... we were able to find and remove the Trojan ...
Please correct this to:
mubeen wrote:... we were able to find and remove A Trojan ...
You'll never know if you got them all until you wipe and start over. If you do not intend to wipe it, at least set up a cron job checking for files with names or in places that would tend to indicate that particular infection. Not that the trojan would be required to use the same filenames or patterns, but they often do use the same ones if they put in a sleeper/dormant wake up call.
In the end, however, we've never suggested to a client that they are "safe" without a re-install. To date we've only had one client actually satisfied with "yep, it's clean" and that client paid $1000/hour to specialist who traced the infection back through two networks and a VPN router to the source somewhere in Canada. And we still set up a watchdog for similar files (just in case). They are going on Six years clean on that server now. Happily. But it cost them several thousand dollars (which is a tiny percentage of their daily take, so it was worth it for them!)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
- williamconley
- Posts: 20256
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
Re: Server Hacked
by mubeen » Tue Aug 11, 2020 1:25 pm
carpenox wrote:have you ran chrootkit or clamscan yet?
Yes, we ran clamscan but not chkrootkit, will run that too
williamconley wrote:You'll never know if you got them all until you wipe and start over.
Totally agreed, Thank you for guidance
ViciBox v.8.0.1
VERSION: 2.14-667a
BUILD: 180331-1715
VERSION: 2.14-667a
BUILD: 180331-1715
- mubeen
- Posts: 116
- Joined: Mon Feb 19, 2018 1:49 pm
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 115 guests