1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Need Virus, Trojan Detector

Discussion in 'Plesk for Linux - 8.x and Older' started by sharingsunshine@, Oct 21, 2005.

  1. sharingsunshine@

    sharingsunshine@ Guest

    0
     
    Helo,

    I have reason to believe someone got thru our firewall via telnet. I can't find any evidence that they were able to accomplish anything before I found them.

    I realize they can change the log files. So, I wanted to install a good Virus, Trojan detector on my Redhat Enterprise version 3ES.

    Can you suggest one?

    Here is the log on logwatch that made me think they hacked the server.

    ************

    Service telnet:
    220.225.128.155: 2 Time(s)

    ---------------------- Connections (secure-log) End -------------------------


    --------------------- SSHD Begin ------------------------


    Users logging in through sshd:
    root logged in from va-69-34-35-58.sta.sprint-hsd.net (69.34.35.58) using password: 3 Time(s)

    SFTP subsystem requests: 1 Time(s)

    ---------------------- SSHD End -------------------------


    --------------------- up2date Begin ------------------------


    Package Installed:
    ['nss_ldap-207-17', 'openldap-2.0.27-20', 'openldap-clients-2.0.27-20', 'openldap-devel-2.0.27-20']

    Package Added To Profile:
    ['nss_ldap-207-17', 'openldap-2.0.27-20', 'openldap-clients-2.0.27-20', 'openldap-devel-2.0.27-20']

    Package Removed From Profile:
    ['nss_ldap-207-15', 'openldap-2.0.27-17', 'openldap-clients-2.0.27-17', 'openldap-devel-2.0.27-17']

    **Unmatched Entries**
    Unable to import repomd support so repomd support will not be available
    Updating package profile

    ---------------------- up2date End -------------------------
    *********************

    Thanks, any help will be greatly appreciated.

    Randal
     
  2. phoenixisp

    phoenixisp Silver Pleskian

    27
    57%
    Joined:
    Feb 2, 2002
    Messages:
    840
    Likes Received:
    0
    Why don't you just close the telnet port #23?
     
  3. sharingsunshine@

    sharingsunshine@ Guest

    0
     
    I have stopped the telnet service altogether.

    However, I am not sure if this person has left a backdoor or Trojan. That is why I am interested in finding a program that won't mess up Plesk that can find things that a hacker may leave in the system.

    Thanks,

    Randal
     
  4. Traged1

    Traged1 Guest

    0
     
    Use a combination of the following tools:

    rkhunter

    chkrootkit

    kavscanner

    All are very good at picking up trojans and backdoors, but nothing is ever 100%

    If you seriously think your box has been compromised, I would advise a backup of all PLESK data IE psadump, write the backup to another drive or offline media and then wipe the box and re-install the OS.

    Upon re-install, install the tripwire package to detect binary file changes and audit the box regularily.

    Also, I would do some detective work into trying to figuire out how this guy got in, have you secured your temp? Do any indications that that IP match anyone's login in your /var/log/secure? Maybe it's a customer? Have you checked the box for known weak scripts like old versions phpbb, awstats ect..
     
Loading...