• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Need Virus, Trojan Detector

S

sharingsunshine@

Guest
Helo,

I have reason to believe someone got thru our firewall via telnet. I can't find any evidence that they were able to accomplish anything before I found them.

I realize they can change the log files. So, I wanted to install a good Virus, Trojan detector on my Redhat Enterprise version 3ES.

Can you suggest one?

Here is the log on logwatch that made me think they hacked the server.

************

Service telnet:
220.225.128.155: 2 Time(s)

---------------------- Connections (secure-log) End -------------------------


--------------------- SSHD Begin ------------------------


Users logging in through sshd:
root logged in from va-69-34-35-58.sta.sprint-hsd.net (69.34.35.58) using password: 3 Time(s)

SFTP subsystem requests: 1 Time(s)

---------------------- SSHD End -------------------------


--------------------- up2date Begin ------------------------


Package Installed:
['nss_ldap-207-17', 'openldap-2.0.27-20', 'openldap-clients-2.0.27-20', 'openldap-devel-2.0.27-20']

Package Added To Profile:
['nss_ldap-207-17', 'openldap-2.0.27-20', 'openldap-clients-2.0.27-20', 'openldap-devel-2.0.27-20']

Package Removed From Profile:
['nss_ldap-207-15', 'openldap-2.0.27-17', 'openldap-clients-2.0.27-17', 'openldap-devel-2.0.27-17']

**Unmatched Entries**
Unable to import repomd support so repomd support will not be available
Updating package profile

---------------------- up2date End -------------------------
*********************

Thanks, any help will be greatly appreciated.

Randal
 
I have stopped the telnet service altogether.

However, I am not sure if this person has left a backdoor or Trojan. That is why I am interested in finding a program that won't mess up Plesk that can find things that a hacker may leave in the system.

Thanks,

Randal
 
Use a combination of the following tools:

rkhunter

chkrootkit

kavscanner

All are very good at picking up trojans and backdoors, but nothing is ever 100%

If you seriously think your box has been compromised, I would advise a backup of all PLESK data IE psadump, write the backup to another drive or offline media and then wipe the box and re-install the OS.

Upon re-install, install the tripwire package to detect binary file changes and audit the box regularily.

Also, I would do some detective work into trying to figuire out how this guy got in, have you secured your temp? Do any indications that that IP match anyone's login in your /var/log/secure? Maybe it's a customer? Have you checked the box for known weak scripts like old versions phpbb, awstats ect..
 
You must log in or register to reply here.

Similar threads

Epic Voyage
Issue PHP imap_open + ADDTrust External CA Root Expiration
Replies
1
Views
2K
Epic Voyage
Epic Voyage
J
Plesk and Logwatch
Replies
0
Views
2K
jochen35
J
K
installing plesk panel on centos6 x86_x64
Replies
0
Views
2K
karabelas
K
S
Install Error FreeBSD 6
Replies
0
Views
2K
swadmin
S
madsere
Yum update fails
Replies
8
Views
3K
madsere
madsere
Back
Top