-
April 18th, 2013, 21:36
#1
درخواست کمک فوری فوری
سلام دوستان عزیز
چند روزی هست که از طرف سرورم(سرور مجازی با سیستم عامل لینوکس) به ایمیلم پیام های زیادی می رسه!
از مضمون پیام ها فکر نمی کردم مشکل جدی باشه (فکر می کردم پیام های چک کردن توسط فایروالم باشه!) اما امروز که اومدم سایتی که رو سرورم هست رو باز کنم دیدم باز نمی شه!
به whm هم از طریق دامینم وصل نشد!!!
ip سرورم رو وارد کردم که با اون وصل بشم اما باز هم نشد!!!
بنظرتون چی شده؟
یکی از ایمیل هایی که دو روز پیش برام اومده:
کد:
CHKROOTKIT Scan Details
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.filemap /usr/lib/php/.depdb /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.depdblock /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.pecl.php.net
/usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.pecl.php.net
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
-
-
April 18th, 2013 21:36
# ADS
-
April 18th, 2013, 21:39
#2
عضو دائم
پاسخ : درخواست کمک فوری فوری
این ایمیل به این دلیل هستش که روی سرور مجازی اسکریپت chkrootkit نصب می باشد و هر روز اسکن میکنه سرور رو نتایج رو ایمیل میکنه و چیز نگران کننده ای نمی باشد
:: کارشناس فنی هاستینگ و مدیریت سرور
:: کانفیگ حرفه ای سرور مجازی و اختصاصی و رفع اشکال سرور از سال 1388
:: وب سایت :
www.nginxweb.ir | تلفن شرکت:
02191300834
-
-
April 18th, 2013, 21:45
#3
پاسخ : درخواست کمک فوری فوری
سلام دوست عزیز من هم همین فکر رو می کردم اما
این ایمیل دیگه ای که برام اومده:
کد:
lfd on vps.hazratabbas.net: Suspicious process running under user rpcTime: Mon Apr 15 22:06:38 2013 -0400
PID: 1242 (Parent PID:1242)
Account: rpc
Uptime: 2526905 seconds
Executable:
/sbin/rpcbind
Command Line (often faked in exploits):
rpcbind
Network connections by the process (if any):
udp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:993 -> 0.0.0.0:0
tcp: 0.0.0.0:111 -> 0.0.0.0:0
udp6: 0.0.0.0:111 -> 0.0.0.0:0
udp6: 0.0.0.0:993 -> 0.0.0.0:0
tcp6: 0.0.0.0:111 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/var/run/rpcbind.lock
Memory maps by the process (if any):
7f1665541000-7f166554d000 r-xp 00000000 fd:00 261150 /lib64/libnss_files-2.12.so
7f166554d000-7f166574d000 ---p 0000c000 fd:00 261150 /lib64/libnss_files-2.12.so
7f166574d000-7f166574e000 r--p 0000c000 fd:00 261150 /lib64/libnss_files-2.12.so
7f166574e000-7f166574f000 rw-p 0000d000 fd:00 261150 /lib64/libnss_files-2.12.so
7f166574f000-7f16658d9000 r-xp 00000000 fd:00 261278 /lib64/libc-2.12.so
7f16658d9000-7f1665ad8000 ---p 0018a000 fd:00 261278 /lib64/libc-2.12.so
7f1665ad8000-7f1665adc000 r--p 00189000 fd:00 261278 /lib64/libc-2.12.so
7f1665adc000-7f1665add000 rw-p 0018d000 fd:00 261278 /lib64/libc-2.12.so
7f1665add000-7f1665ae2000 rw-p 00000000 00:00 0
7f1665ae2000-7f1665af9000 r-xp 00000000 fd:00 261279 /lib64/libpthread-2.12.so
7f1665af9000-7f1665cf9000 ---p 00017000 fd:00 261279 /lib64/libpthread-2.12.so
7f1665cf9000-7f1665cfa000 r--p 00017000 fd:00 261279 /lib64/libpthread-2.12.so
7f1665cfa000-7f1665cfb000 rw-p 00018000 fd:00 261279 /lib64/libpthread-2.12.so
7f1665cfb000-7f1665cff000 rw-p 00000000 00:00 0
7f1665cff000-7f1665d01000 r-xp 00000000 fd:00 261283 /lib64/libdl-2.12.so
7f1665d01000-7f1665f01000 ---p 00002000 fd:00 261283 /lib64/libdl-2.12.so
7f1665f01000-7f1665f02000 r--p 00002000 fd:00 261283 /lib64/libdl-2.12.so
7f1665f02000-7f1665f03000 rw-p 00003000 fd:00 261283 /lib64/libdl-2.12.so
7f1665f03000-7f1665f0c000 r-xp 00000000 fd:00 261256 /lib64/libgssglue.so.1.0.0
7f1665f0c000-7f166610b000 ---p 00009000 fd:00 261256 /lib64/libgssglue.so.1.0.0
7f166610b000-7f166610c000 rw-p 00008000 fd:00 261256 /lib64/libgssglue.so.1.0.0
7f166610c000-7f1666122000 r-xp 00000000 fd:00 261286 /lib64/libnsl-2.12.so
7f1666122000-7f1666321000 ---p 00016000 fd:00 261286 /lib64/libnsl-2.12.so
7f1666321000-7f1666322000 r--p 00015000 fd:00 261286 /lib64/libnsl-2.12.so
7f1666322000-7f1666323000 rw-p 00016000 fd:00 261286 /lib64/libnsl-2.12.so
7f1666323000-7f1666325000 rw-p 00000000 00:00 0
7f1666325000-7f166634b000 r-xp 00000000 fd:00 261264 /lib64/libtirpc.so.1.0.10
7f166634b000-7f166654b000 ---p 00026000 fd:00 261264 /lib64/libtirpc.so.1.0.10
7f166654b000-7f166654d000 rw-p 00026000 fd:00 261264 /lib64/libtirpc.so.1.0.10
7f166654d000-7f1666555000 r-xp 00000000 fd:00 261338 /lib64/libwrap.so.0.7.6
7f1666555000-7f1666755000 ---p 00008000 fd:00 261338 /lib64/libwrap.so.0.7.6
7f1666755000-7f1666756000 r--p 00008000 fd:00 261338 /lib64/libwrap.so.0.7.6
7f1666756000-7f1666757000 rw-p 00009000 fd:00 261338 /lib64/libwrap.so.0.7.6
7f1666757000-7f1666758000 rw-p 00000000 00:00 0
7f1666758000-7f1666778000 r-xp 00000000 fd:00 261277 /lib64/ld-2.12.so
7f1666965000-7f166696a000 rw-p 00000000 00:00 0
7f1666976000-7f1666977000 rw-p 00000000 00:00 0
7f1666977000-7f1666978000 r--p 0001f000 fd:00 261277 /lib64/ld-2.12.so
7f1666978000-7f1666979000 rw-p 00020000 fd:00 261277 /lib64/ld-2.12.so
7f1666979000-7f166697a000 rw-p 00000000 00:00 0
7f166697a000-7f1666987000 r-xp 00000000 fd:00 268 /sbin/rpcbind
7f1666b86000-7f1666b87000 rw-p 0000c000 fd:00 268 /sbin/rpcbind
7f1666b87000-7f1666b88000 rw-p 00000000 00:00 0
7f1667722000-7f1667743000 rw-p 00000000 00:00 0 [heap]
7fffebe1a000-7fffebe2f000 rw-p 00000000 00:00 0 [stack]
7fffebf99000-7fffebf9a000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
هم چنین دامینم هم بالا نمیاد
-
-
April 18th, 2013, 21:52
#4
پاسخ : درخواست کمک فوری فوری
ممنون دوستان مشکلم حل شد
فقط نفهمیدم چرا سایت بالا نمی آمد؟!
-
پاسخ با نقل قول
