PDA

Bekijk Volledige Versie : Server gehacked (Cent os)



Genesisfm
21/02/09, 19:34
Beste,

Ik ben er achter gekomen dat ik regelmatig deze mailtjes krijg:



This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

xxxxxx@xxxxxx.nl
local delivery failed

The following text was generated during the delivery attempt:

------ xxxxxx@xxxxxxxx.nl ------

An error was detected while processing a file of BSMTP input.
The error message was:

421 Lost incoming connection

The SMTP transaction started in line 0.
The error was detected in line 3.
0 previous messages were successfully processed.
The rest of the batch was abandoned.
421 Lost incoming connection
Transaction started in line 0
Error detected in line 3

------ This is a copy of the message, including all the headers. ------

Return-path: <xxxxxx@xxxxxx.nl>
Received: from dslb-084-059-000-234.pools.arcor-ip.net ([84.59.0.234])
by server.xxxxxx.nl with smtp (Exim 4.67)
(envelope-from <xxxxx@xxxxx.nl>)
id 1LauSV-0002ge-6F
for xxxx@xxxxx.nl; Sat, 21 Feb 2009 17:12:07 +0100
To: <xxxxxxx@xxxxxxx.nl>
Subject: February % off
From: <xxxxxx@xxxxxxxxx.nl>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-2">
</HEAD>
<BODY bgcolor="#545454"><div style="padding: 20px 20px 40px 20px; background-color:#B1B1B1;">
<table width="450" border="0" cellspacing="0" cellpadding="0" align="center" bgcolor="********">
<tr>
<td style="padding:10px 10px 10px 10px; font-family:'Trebuchet MS', Arial, Helvetica, sans-serif; font-size:20px; color:#000000;" >
We ship Worldwide! To all countries! To all destinations!</td>
</tr>
<tr> <td style="padding:10px 0px 30px 0px;">
<div style="padding:10px 10px 10px 10px;">
<div style="border-top:5px solid #666666; padding-top:10px; font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px; color:#666666;">
<a href="http://delightfulenticing.com/"><img src="http://delightfulenticing.com/st54we.jpg" alt="Cant see a picture? Click Here!" border="0"
class="featureImage" style="padding:100px 100px 100px 100px;" /></a>
</div> </td>
</tr>

<tr>
<td style="padding:20px 10px 10px 0px; background-color:#B1B1B1;">
<p style="font-family:Verdana, Arial, Helvetica, sans-serif; font-size:9px; color:#666666;">
To unsubscribe from this mailing list, please log in to www.delightfulenticing.com, click on "My Account",
click "Update" to edit your registration details and uncheck the "Receive Newsletter?" check box.<br>
Or unsubscribe at
<a href="http://delightfulenticing.com/faq.php" style="font-weight:bold; color:#666666">http://delightfulenticing.com/faq.php</a>
</p>

<p style="font-family:Verdana, Arial, Helvetica, sans-serif; font-size:9px; color:#666666;">
<a href="http://delightfulenticing.com/privacy_policy.php" style="font-weight:bold; color:#666666">Privacy Statement</a> |
<a href="http://delightfulenticing.com/shipping_policy.php" style="font-weight:bold; color:#666666">Terms &amp; Conditions</a> |
<a href="http://delightfulenticing.com/contacts.php" style="font-weight:bold; color:#666666">Contact</a>
</p>

<p style="font-family:Verdana, Arial, Helvetica, sans-serif; font-size:9px; color:#666666;">
KEYWORD Ltd.<br>
Tower Bridge Business Complex. Unit 0, B884. 541 Clements Road. London. SE28 9DG
</p>

<p style="font-family:Verdana, Arial, Helvetica, sans-serif; font-size:9px; color:#666666;">
&copy; 2006-2008 KEYWORD, Ltd. All Rights Reserved
</p></td> </tr></table></div></BODY></HTML>



Tevens staat vaak de mail queue vol met spam :S

Nu is de vraag, hoe kan ik achterhalen welke applicatie deze mailtjes verstuurd?

Alvast bedankt.

Erik H.
21/02/09, 19:49
Wat is Centeros ? ;-)
En hoe houdt een spam mailtje verband met een gehackte server ?

daveww
21/02/09, 19:52
Wat is Centeros ? ;-)
En hoe houdt een spam mailtje verband met een gehackte server ?Inderaad, graag verduidelijking.

Verder denk ik dat er 1 of ander CGI/perl scriptje draaid..

Genesisfm
21/02/09, 20:03
Dat bedoel ik dus, ik denk dat er een script op de server staat die deze spam verstuurd.
Maar goed hoe kom ik daar achter?

Dit mailtje krijg ik terug ivm een fout die ontstaat in de mailserver.

dreamhost_nl
21/02/09, 20:37
Je zet nu bij alles in de header xxxx@xxxxx.nl. Is dat overal in de spam hetzelfde?

Genesisfm
21/02/09, 21:09
klopt!

daveww
21/02/09, 23:17
Probeer eens dit command op SSH

ps aux | grep cgi
of kijk eens in je /tmp of daar geen vreemde files met bijv perl scripts staan?

Mogelijk (zou kunnen) ben je getroffen nog door de roundcube bug, heb je toevallig nog een oude roundcube op de server staan?

Genesisfm
21/02/09, 23:45
Beste Dave,

Hierbij de gegevens:

[root@server ~]# cd /tmp
[root@server tmp]# ls
mc-root sess_814157a3846eff59be290744b8ad4b9d
phpVTaip5 sess_8274d561e1f39013cfd79830cc7068fe
sc_serv.log sess_8285384addda99f3c740b33c3a80857d
sess_0263b6339bff00e38b5f3f8074990ccf sess_83041b0e35a3a00d204a530b6e0e28ed
sess_02928a6e6edb4b5fe77f73f4ef286643 sess_830769238fc5b5c4a71db9bcb4359b90
sess_02949bd0924e3fb77d60436cf977fd95 sess_83c4559f005f3cc57382a84253ac161c
sess_03bf9a359798c8913e4003b67a63abfb sess_84732099323a3dc0f5fadcd9147178a8
sess_03eed252a66c43eb5de03cf716bab1ff sess_853e4cf540871eb6dd02e4cb21e1d1de
sess_047e143a157d876b796cf2e3f08928bc sess_883e6fa96959af36f882ae64a1fa8b3f
sess_048ae44be147485e12a318e36e29ebbf sess_88a63a18ada46897f350791a9d11c612
sess_058fe61ff7041b95b6422c277c81acea sess_88a91504b8c192f4f6898a169307dfd2
sess_06f2fd58a0868789c9710a5969846480 sess_897eefca0acf401371c4158e2492ab6d
sess_0743eb1af48b7625a99053d4974ea0c2 sess_8a26c85f4c147ee381e7eec3ca44703a
sess_07e698a2986412fdb9c1762c01eb2c31 sess_8bbb1010078cdaa750d4a9f71934ff2a
sess_0aad41612e7401b840f5e23114e3c3ff sess_8bd54f82874c03c977b56c4d65e75437
sess_0ab77d65b47d32a862d25b980a342b8e sess_8d93cd9663918baadb25b5182b2dea20
sess_0c19595f9abd0de76c60d3cf15d6f4ac sess_8ec326fb8a6b854e5fcee7ca8bed72ff
sess_0c376298e1bb84433721db7d226dce2a sess_9060a33a6f29e7fe89094e75d23fffca
sess_0c6fc2fea18611edc956da36632fdc39 sess_907d58872548cac83c4f0651ffc95cef
sess_0caabfab05624f74b568659f141cd60f sess_90e79ae9e28fcb5b87b3784146c594af
sess_0cad39cabb16ffcc57c4cc186e0781ae sess_91b9af7c6768d65058b459d51ccd2241
sess_0cdba876f0450eb7d01b5df8cf089293 sess_91cf4c11c31dd092aa5812ef450b369e
sess_0fe76a36499d33caa8a932d4d8c3e56a sess_91f490f8ee1f858682eba416ca849a30
sess_10a6c06e73ddf00d684fc00781792e03 sess_921a8037aa05a95c8608e11420ab0be3
sess_1108a775f00fc3ecbaaab83c281a6791 sess_92781b8707909655ba429e52d7dd1605
sess_126737fe03f27e8c09ccf982cca395b2 sess_92aa485bc841deb5b54cc574a381f6fe
sess_133c7a5bd31fa309af086b8cf40e6c84 sess_9343047ea70cdb32ecfadeade64dd8db
sess_1443e079d21175430177ef1a7364316f sess_94a7083a593926b3b7b3a4b6a2ab874d
sess_14718b19ee2fc2233f8f4f6baf533595 sess_954f5a487584ab234b0d42273e2ca1b4
sess_14d21f83328a9b3417b9847c475843a0 sess_956034cc33ed24bcedda50f22033749e
sess_14d8a82e1205ab6eb6236f82063ae6ef sess_958e2d94220a043561c205af6f2e5f79
sess_14e2951b7c0dffe4a1067eab02e09647 sess_95a61f1bee379725dda677486a12a8d9
sess_15419bf0cdc524ce08c9584cf79c6e9b sess_972902d984b2858a08117f928d61ca9d
sess_196db8dcc4d0ba57f4a30e4ffcad8d08 sess_975099b59a51f92c615496561b116939
sess_1b948a57d5175781d6ec9fba47cc2975 sess_97b02207f9244a5373c37109374d2d26
sess_1c07c441f91f6bb12dd200148a702621 sess_987e23113d4734f8a0e1f3938e8bc9e8
sess_1c4ac98c24961ddcd882adb5d04facdf sess_9977c114a5ff8073832b7628961ee0de
sess_1cd2035bab4f2f732a0bc3addec7736b sess_998e6c65cd3e0324206b71c74c38c8f7
sess_1e8c31378cd41c74f3aafbe797948ca7 sess_99972a147b1cdd79d51147ae5d4b73f3
sess_1fa7bf5ec196a76d4b34b98ccfe12271 sess_9a54edcc306137f67fcaf9b0daef47ca
sess_20b093a47db3c2456321a4ec402b0373 sess_9ab5953d58b4d6a52caff37eb85b3de9
sess_210c179d65b0538ac71604e6a54e59a2 sess_9ad2f01a6c6d20c61d2f01b80d7b8b0e
sess_21d79336007edd0a718a349865e433b7 sess_9b8ba7f093f4a62ddf7d2ab7c7c35d61
sess_222d362fbc6cc9d94d5366e438316b63 sess_9c79b9b94fad9baba05e9efa93616c72
sess_22356e745fd8bb9e149373501bcae58e sess_9cfdbcf1ecfd7c8ab0d71591e7b5ed70
sess_231ea14eeb28d0c09eb6835dd3eab5aa sess_9d29280a7973cdfd688d9662a15fb567
sess_240950ad1ccd2edcb322c10996dbf3d9 sess_9e8b2dd66fbd6b181c68e58d7c4743ce
sess_2446c3fcb1006728187131a825f6b23f sess_9effe0e410914c571b546e65dd75e9bf
sess_2467e4a346a53275c49e55cffce0841d sess_9fa81a0e0162b7a647d31427be48bd4a
sess_254d36436ca415a85827265975574be4 sess_a04767892c32555ce08b23d8a4725451
sess_266ec576dbb944fb427bfb7d3821798d sess_a2ea587846bde626e11fb05d877653a9
sess_26a63419fa0bdeeef51921784056c64d sess_a3da639d07bdc2cc3c55c806223a2fd7
sess_26e54e550334c90b0513e3d6c6fad14c sess_a45ecc04c9b98254468c841fd5b8e77d
sess_272d946577748a165689e7a9b9cd4ad3 sess_a4bfbd32638a5488935a7fdc376aa513
sess_27eca69077c938c9000fa7ef32ed1552 sess_a52fe5e2b7be02a86fd73987f4b42dec
sess_27f927dd1b6a982bb5e94c38e979dfde sess_a59db1626fa621b8beaa5bb4e1ee2291
sess_2812db61e6619ced3c63ede983b2fdd4 sess_a66e4baa9450b5f8cb881c5c38e455d4
sess_288a04129a619455dca542865a8d03f9 sess_a7ada37d66fbb47a190f94743830d7a3
sess_29f2a281e1c7e74e829b9bb6d5f7f27c sess_a87ea15abce569633e0335d3e77bf67b
sess_2b1827db4723827eb81ed2792bb38e0a sess_a98cda07482aa896e9f6004fcb60d518
sess_2b92d2914130a6b75712698218cf3241 sess_a9ae8d3f3754f35c1881bc64ebcf4da0
sess_2b99c1b3656ce77f7f68a22d22fbf32c sess_a9b11ca50b5dcd4af2ef8dacba6efabd
sess_2c9246b844c355de6af5abb4ca86189d sess_a9bb91495e9051861be43c4c30d3b435
sess_2ca97280cdfc5538ec7027ddd37d6ce3 sess_a9bc9567b424f63f19443b93fac2e9bd
sess_2d7926cc4a46bbd6278d22db1f641b38 sess_ab357874f378ae413055577a2288c9a7
sess_2f5d6b1d8503f2a3cd697039f885ab6c sess_ab9a40ed748f061db265246900f7768f
sess_303c1d7539654be4e6dcbfbbbbe0a474 sess_ad467858840927f88b4ba3959730f906
sess_304582eca3fb8891f33b3bb185e6a87a sess_ad782f5cf8686877715656cab18c828d
sess_314f59840558a6fa47a862f1684b9930 sess_ae4c859cfc06345858d0c42bcc32ed1e
sess_318691076fccc7dda69ddd1973589fc0 sess_afe68e48aef04f7391956b4e774f5187
sess_31a41f3d898ff285fc374ba9890aecd7 sess_b1388ba26cdf5d92e2af785734542ba0
sess_32804951c4fdd3c06e8c91c57bb05f31 sess_b2ba1fd053404e9808ac2f33b78a8e4a
sess_32bccd5fd5ea9c2533b66610255eac74 sess_b3280e1dfb62f70e24faeccb2e33420e
sess_32e3907344511760cf01acbbaaa2c88b sess_b34b6f158e9fd51526cba1d6d6f78d20
sess_334050a2d6f8998f90f64e4f788ee6de sess_b3f2bd2d050744b88dd2e1d1e82e9afc
sess_3417384c579b3791bfdf956372fc93d2 sess_b406f18d21e14e6e9111c910a40e73f6
sess_348613c9f4c50b84bd026ddc616f23af sess_b5af7f233703837f6878d0939220bbe0
sess_3555f8756f803e535f7ffee8d11c1fc2 sess_b69bdea60257baa874ae7bcf772bdeea
sess_35903df903674100741690a62ab68b3c sess_b7093ea20f68ec0d3ab00eac8f951cd0
sess_35920ce83fb04b96eab7f54bbd9c9cc5 sess_b786f881fe695baf62f5d322b568ed9e
sess_3618a4a5c7fe23d72ff91cb4e4f47a9c sess_b7c2c979a1453beec163379762e8c72e
sess_36d3fceccc8f075da606d0fc343d2287 sess_b7d6f82f59936fc7f099b492575e8420
sess_36df193795bc6aec169247914acb532e sess_baf68a922f32509ee0a2450529bb8757
sess_37bd291c18bdfd8e8039866f774d1721 sess_bc5f06a823a4c6f6f08413fefe6be7ee
sess_39177f5d07a1082c6c72e671faf3e631 sess_bd1627634f572938a6caf3af507f2e38
sess_39b26b5c1a23f73793adc84e4b3ea508 sess_bd1e38a599e78be21b8579ce0b858812
sess_39dbe689a2b565c12c22906a1c05fb13 sess_bd74136f90db0340e94b5fc68aca3507
sess_3a8362ac7751bb4c967d81d26e8c61c7 sess_bd78a9e2a25f12e919714a624fb16ea1
sess_3ac20f2fce6e59555891c68550456f91 sess_bd8e4812dffa7e6d47f5b0647f512f01
sess_3b636b2b5e147afed29308b329f3d581 sess_bdf0008d0517e8ded163115e5a5b4fc6
sess_3ca90561104230d088f43c86151d0b15 sess_be6c40f1652238bc01590b5d63f9f9ee
sess_3cebfcff805d4fca5a4cf3d51264e7f3 sess_bec10bb6567a2b5c5cb67dd4cb99385b
sess_3d4bce11de24cd389210c4ba488baeac sess_bfde4bfb7472d70fb411d8bb5d24ae89
sess_3e51d7168c9ed43b2d96162f6741c2e6 sess_c07403866156049f16410a050c7c9fba
sess_3e9a2240641d3bad73546a6ee5be842d sess_c1c7c19ae6367d8d2333faec4f412d9d
sess_3ee018e64e36fd2b523ced639205b0ff sess_c21a111c5ec62495b022f704da5fc9c2
sess_3f6dfc7101e9bd41d5a5be9fecf5d021 sess_c31ad3cdec6b122df514ac1f3e55aa78
sess_3fa2a6a351cc21b073f92fb05ec6d9e5 sess_c3a87e58f6ab71f7967b65993d801b77
sess_3fabfbe490ca630f5d718b49757bed41 sess_c401029fa255907ff28e7a1102900584
sess_4063756d08c14e2d65ab899ea446049f sess_c4374f6e4e76c65b3d695509470fb21b
sess_412880b3b993d6524a4bbe0b18628224 sess_c46cb40bb5e4ae74abfe707f90d2e09f
sess_42d5226543f7d9cea05660f86e414dec sess_c4a3da9eaeeb27610d325575d5efdd15
sess_42f6830c0451da7eb35b5b0e1d3b3a61 sess_c4f949c39b506cc107abc78803d00c75
sess_4331a66c6895c3eb3f231536ef2a5299 sess_c5047eb5c8bde226efd7e45ea598140d
sess_445e757ce47f40180d57bc28df17a95f sess_c5064850df73ef60d63aa886beeda0a9
sess_44e79891132e4466489d66c867a90e8e sess_c537059889b644cfa0be5b8b5e98ead6
sess_44e95552750a5ef058a569fb474a9ed4 sess_c58dfc60370d6a8d1c380cf686990387
sess_457ca7e862a9c757e43a0b071e390308 sess_c5d72fb0e60f7049952f74d7ac546482
sess_46e1dc13388369ea7171ac23fd8cacc7 sess_c6dcedcefbb4538a0e919a5971586a95
sess_47984b3f56335967572d65b4d71b934b sess_c785567aafce86179c06de05a62f257a
sess_47d8b63ab11a5b3724f29f6205b82d31 sess_c80bce0531c324c85a914468d7e07949
sess_488ecd646c5dbe1a7cbb21487de36246 sess_c91842cd234f3ab211c8c29f59bbcf31
sess_48a6b3a597c080de4cdf9ddbf8308ba4 sess_c9f39c9b3a788b12e5a2a97118191153
sess_49548f6fc08dab7aeabbb3632d3487d7 sess_cb8065c0fd8632142f4b96a05f3a3d1d
sess_495da35ef260226720701d099b9c03f9 sess_ccbd6720880518719af3f3906dae29de
sess_4b3383fa8a059aee86d0bdd07004e46e sess_cedaa02c400bc7c0bfe47a2d567841fb
sess_4b93c0edb4a01f24000efdccad2ae01a sess_cf22e8cdce96b8357f937dbe1ecbaf51
sess_4bddfcad2baf85efc719d68da42ea2d2 sess_cf5fdee2d3fbbcf72ade124b582ac208
sess_4c35e2a678556e62215f1579bcbf67a8 sess_d089335ff071b09dac63822db026ccc2
sess_4e3809ad6e8028b4c610fae987632872 sess_d0d7256ec00910813044d1fa89c75919
sess_4e5548140ac0b16fd0dc672dfa381350 sess_d1290f6ba25321fb74e03c53f0a6c817
sess_502e69deb9d9e63844f0d557c2fdf49f sess_d18dfc9ceee2e04447966ffe22e49575
sess_505ec57539b5e12b9eacb7630f833e95 sess_d1aa65a07ae8006dbdc2d81c1e1ef397
sess_5137432ed1e26986c2cfe9789dfb0853 sess_d1d6891b0b62d8397fe4c92669b40dac
sess_5192deff8212c94d1af5ced113cb0cb7 sess_d2c783e4b570ffd0c6ca6c816914488f
sess_51ede78d82fe8b359390b804449d7a96 sess_d2d424a7b428aae8d04b7b46bcf17b77
sess_52c70cdb4fe868c6f9fc7bb915dc27a3 sess_d4126fb217fd00570177d213d044436f
sess_53972967c82f08ff6c89afb4b082c058 sess_d56b5264a9aaa9b7eeba8872b94dcada
sess_53f4c53392f2675f1f81ed1c9f087eea sess_d6d28449759ecd1134fa650732af53e2
sess_543eabc46e826650cf76a5e0dc44e680 sess_d75279f6dbfa1edbfa756a68beccc22f
sess_54de4a589a0b66e750d74bc9662f7398 sess_d870d1423c57778d353b571570c6012f
sess_5522ac91cbc19421e3882b34fdcee7dd sess_d8cea098476615e04f2c4f62bb71b3af
sess_556c1a0774757f6834e14ecd03f5d06a sess_d915956c630c3bd60c8fde0d7f76f06b
sess_55cbff6a8be7e497ef0d3f59fa96fe88 sess_d977aca50a562bb2ebf69d10b7c026aa
sess_564528df410355d1286d7339f36753c9 sess_d9fb62a73f6e31b1609e8c5cc9c93276
sess_5820cd05ec3c37af26e75cebddd0fd41 sess_da38e79e6d31cff46cad5cc6dc2c8bde
sess_59705b18ed3c753a1fdd1e537ccaf7d0 sess_da69191c3de5b9f4b88d09d58e7daf49
sess_59760d62a8ee4e3a41737fee9cb9a816 sess_daf27c69e7d149faac6ac1bf5788abdc
sess_598873a49b4e270ddea1692450d7f6b9 sess_ddb6dad6e3600b8a8a55cb4f68ac6b96
sess_59e93f5429c11cd3bf655c3099dcc703 sess_df0eaadfc531efa2487688b457a9ffd0
sess_5a156e59a4cb332057ae761463d0d9f4 sess_dfa14de99888b4447b07db5e1830bfa2
sess_5af14568b5f90180d8b293255f2edf45 sess_dfdb0825bf815de61e2fe89142400707
sess_5b466aa4a262d8741de5275ec1d8beec sess_dfe655e0d1174299204b24d217db6b18
sess_5c06df0543a6ffaf027bd651446032dc sess_e08393b86bf1ebe1304ad00e4a439bec
sess_5ce5d16bc9630fdf43b59bb5c6725a96 sess_e0e2ea16d2a185f34a0f13499dd237a8
sess_5db583215a90674c998a20124f0a3fa1 sess_e1a85f2c8caae5b0ee764e155246b2a2
sess_5f1b57cc88712bacde6196f79c328a6b sess_e26e03446223b3401f1b922a0ad4a31b
sess_61900a1dff5bae4d30d4c9c54a5dd5bc sess_e2856b29e712d14ad64c5dc07473b375
sess_61c32b532c88f96b245fb1a6a82d5d49 sess_e3cb25366eac01eb78b8e6d8c865ccdf
sess_62ab4ef195daa96ed6fa7badc5e27992 sess_e3fbd7877de353cc016cce22f598284a
sess_633fca4914754a7ac2ac08d4a45d2925 sess_e4200d653c3a4b4b845b9ffbd0aa4e61
sess_63fae393ef38afec9a2aec25999f344e sess_e5b9538b92d05982d3f8907ff3f22a0b
sess_643e8b6c2cc237b649fb8f033a067304 sess_e6f74e5806ef8ba554af01f1a71fe340
sess_6504e915f69f86572344fd5183d4a0a2 sess_e751ebdb4b99693fb536ada1a3ecdf08
sess_66a4b1f5e20894bb0fe6340d0e3ee0bf sess_e759654ca0941654b2c5f7f7cde5445f
sess_672d088dbbe5bb78678e3fc5533fd169 sess_e866a073cf044f4e9e476c789a720652
sess_677903e5d23d1ce4d2bb6bb8c622dcfc sess_e87c707fd4794642e8eb6fbba6e3c38c
sess_67d01bafa8724d99e16bc630c0474780 sess_e8b844516b0d2348e23d12b3adc77ebe
sess_67ee09ad5c5ebdf3bb1ae2a60e0ad5ab sess_ea896176bd5823b3865980c6ef0b8a47
sess_689884b3a8939e17ae61c892a2d4792f sess_ebaab7423d73c3a34d39a349fded2dbf
sess_68a91eef54d428b59e824bc6667dc8db sess_ec76dd0f82b8c83e57594f2c67ebe726
sess_68b6066887fedc6f7cf5c5fcce9d13d6 sess_ec7a032b8779addbd8ea83fd975a1704
sess_68bc9555354c8621205df511b4c40202 sess_ed64210718a8ae531838af777a17308f
sess_6aa8d1cb6c6482fcb364408268a10698 sess_eded34c67c50ad45aa20111d06f93ebd
sess_6b1f586f3639f965b002defa62f1a569 sess_eed5cf9c01245ce3975c28bbeb2bc8ec
sess_6b8b6c994ba4faad9ca4e28a7fcd4e9c sess_ef2aac7ed02d637b33d541aa9a03d68e
sess_6ba87fa52304cebf0c46c607c21146df sess_ef2c5bfcc71a31a83c156e3d856687bc
sess_6c0b5bdc90b2dc535748216d7fcfde2e sess_ef9dc4aad5b709cf6ed6892aa1168786
sess_6c5b624fd6e5e1e8ca9894467bf945b3 sess_f059f0c1e9b7805d3f6af520b3190681
sess_6cbf51c37523f19f3bf24467f1386b38 sess_f06b748e82d0f4ef28337c75aa21e6f3
sess_6d9e2f4e1e94cd8bf1bd5d7364145d8f sess_f0e01cb514930fd38f0c5fc745508a8c
sess_6dcb4fd3ff9591dd6d59e016f28cfc5c sess_f1beefec698b9fc070bd878df69e6af3
sess_6e76b9a1b014bda56760098a4268692e sess_f1ed662604565cf074716323de79ea0a
sess_6f30212da31d18fd8dbaf5266802e0f4 sess_f219f549c4f858a581398f38cd104039
sess_6f53739bf6fb6e4d9f143d1dcd39eaa6 sess_f225528b70c26ed1101e002a9d772e6d
sess_6f5b7e56656751efcb877d8ad1b1a579 sess_f2477c3ce33889ed6d0b6c47adf2e8af
sess_70b3f2e27419b06b276f99f1946d2156 sess_f2e7ab8f360313ef4736ca106294b070
sess_720b6c18c629d370f0cdff4f131a5b3e sess_f2f5980a1524612a0e87b82a2648874b
sess_72b6148327c47aea29af33c5188b4521 sess_f3e336162701d24c156ea07f055234ee
sess_740cf7d3c64b265c9af44bc428307ede sess_f42f457e068d604070fe0b8c584e28bd
sess_74e0f16607d1e83e358b86f332b8f684 sess_f4954f7a19eda76f14241f84c7ca3e23
sess_75b8aef037ecd6fd47f7151a4c610e20 sess_f50169641e911d647c3f144c9c2647ee
sess_76a59612047e3e050957cd31f7d7d4a2 sess_f5415ec20d98e8fdbd51244e7c5e0a70
sess_7ab89dd4df5b5412b78245266434dc91 sess_f5b04cc9a7e156e3abce84ed9fd89c82
sess_7afc6f0aed4760a981a661878fdd4b18 sess_f69ac3a89b4462f68aa2f4601d9a59a5
sess_7c0a0ec05093563c3d76f42f00c7dfb0 sess_f82bde9b8c6590f0371a07f4a24e6db6
sess_7c0e226f4963ef156d0fd8776ab808a1 sess_f8aa017b19ec03d298e0cedf9415145c
sess_7c55fe4700d5b614851dc3a3179771b9 sess_f8cbfe826c77348ad6cf3da7a89bc0a8
sess_7ca9bd1656e1b74a280c9d3d92d0a835 sess_f8e33bcd7004d2e60686c7e2613364c6
sess_7cc749963abf9bdb074bb9ca9b594708 sess_f910f47b997fb18439aa5e7dc11a79f0
sess_7cef73adc169ad440755f419edf71cc4 sess_f97814c28dc48157beeb6939a4b43dc2
sess_7dd7c9ae45540258810e3a2c6995add9 sess_fb712162af357e1214ed23f447a4abfc
sess_7e15a2522ebcaef8cc4676557c505794 sess_fbea5a18c1a483ec2cd505e1ba83c77c
sess_7e1a6e0926081a051cd17ece20e0092c sess_fbf9c252eb6e7686d6e5b2bcf3dc6364
sess_7e5aeb2a409f7fd5dfbaa814a63e016a sess_fc87335cd4036fa92056ebf111db5581
sess_7fa2c1a00ef1dab98fdc5df83027a403 sess_fcf0eeb71e58de9faaf1807f7054b168
sess_7fd0ca2c89823d937817708355171d3d sess_ff9040ace7fdef55b19e228edf76d8da
sess_80ee00623cf45f7f24e971883790f1c6 sess_ffa9f2d7149fe6516c45f760bfbbf2bd
sess_80f843ace1c1ac61756126ff8ca04c19 sess_ffbb8dab68d415bfa005b45e921882e4
[root@server tmp]# ps aux | grep cgi
root 27916 0.0 0.0 5156 768 pts/3 S+ 22:44 0:00 grep cgi
[root@server tmp]#

daveww
21/02/09, 23:51
Betreft de /tmp de sessies zijn niets ernstigs.
Er is dus zo te zien ook geen draaiend script gevonden genaamd CGI. (Het kan nog altijd zijn natuurlijk dat dit is hernoemd)

Welke versie van roundcube heb je, indien nog niet geüpdate dan installeer versie 0.2.
Verder al gekeken met rkhunter etc?

mikeh
22/02/09, 00:29
ls -al ? :)

systemdeveloper
22/02/09, 00:36
ls -al ? :)
Dat is overkill... Ik denk dat het sess_da69191c3de5b9f4b88d09d58e7daf49 is want dat lijkt me wel een naam waar ik zelf een perl script in zou stoppen :w00t:
Allaaf!

daveww
22/02/09, 00:40
de sess_ bestanden worden gemaak door PHP scripts die gebruik maken van sessies...
Echter kan daar altijd wel iets staan wat niet hoort, verder zou inderdaad 'dir -al' of 'ls -al' misschien ook helpen mochten er verborgen files/dirs staan.

systemdeveloper
22/02/09, 00:52
de sess_ bestanden worden gemaak door PHP scripts die gebruik maken van sessies...
Echter kan daar altijd wel iets staan wat niet hoort, verder zou inderdaad 'dir -al' of 'ls -al' misschien ook helpen mochten er verborgen files/dirs staan.
Tuurlijk, was ook maar een geintje, alhoewel een beetje spammer natuurlijk niet zijn scripts /tmp/ikspamvandaag.pl gaat noemen...

Als je niet veel logt en geen idee hebt waar het vandaan komt, dan kun je nog wel eens succes boeken door met grep "spamtekst" /home/* ( en dieper met /*/*...) te zoeken naar een script dat de mail verstuurd.

Genesisfm
22/02/09, 03:18
Beste,

Bedankt voor jullie reacties!
Iedere dag wordt er een RKhunter en CHKROOTKIT scan uitgevoerd (en niks verkeerd gevonden en alle versies zijn up2date).

Verder heb ik de ls -al gedaan en ook geen vreemde sessies gevonden.

Ik moet ook zeggen dat ik vaak de volgende melding krijg:


1Laytf-0006cF-F8-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

xxxxx@xxxxxxx.nl
local delivery failed

The following text was generated during the delivery attempt:

------ xxxxx@xxxxxx.nl ------

An error was detected while processing a file of BSMTP input.
The error message was:

421 SMTP incoming data timeout - message abandoned

The SMTP transaction started in line 0.
The error was detected in line 3.
0 previous messages were successfully processed.
The rest of the batch was abandoned.
421 SMTP incoming data timeout - message abandoned
Transaction started in line 0
Error detected in line 3

Lite-On
22/02/09, 12:53
Kijk eens met ps aux naar sessies welke draaien onder de user Apache.

Ik heb al eens vaker gezien dat er scriptjes op andere locaties dan /tmp geplaatst worden (bijvoorbeeld /var/spool/vbox/.........)
In de bovenstaande directory heb ik zo eens een IRC DCC bot gevonden welke actief was onder de user "Apache".

Ook al eens phpmyadmin en roundcube geupdate? Daar zijn de laatste tijd exploits in gevonden.