How to clean hacked server and add more security?

[agriz]

Hi,

I know it is going to be a very big work.
One of my website is suddenly not working.

I contacted my domain provider (bigrock) and they told that .IN registry has put a "SERVER HOLD" on my domain because of malware.
My other .in websites are working good from the same server.

I don't know how to check the server for malware.
I am not an expert.

But, in this topic, I can learn a lot of things for security which will give me more knowledge in security of linux.
I will post the details you needed. If they are highly secured to share in public, I will send PM.

Looking forward for your support to the malware removed.

Thanks..

[agriz]

I just checked the /var/log/secure and found the following line.

[code]Rootkit Hunter: Please inspect this machine, because it may be infected[/code]

[agriz]

[code]

[03:10:22] Checking for directory '/dev/.lib/lib' [ Not found ]
[03:10:22] Checking for directory '/dev/.lib/lib/lib' [ Not found ]
[03:10:22] Checking for directory '/dev/.lib/lib/lib/dev' [ Not found ]
[03:10:22] Checking for directory '/dev/.lib/lib/scan' [ Not found ]
[03:10:22] Checking for directory '/usr/src/.puta' [ Not found ]
[03:10:22] Checking for directory '/usr/man/man1/man1' [ Not found ]
[03:10:22] Checking for directory '/usr/man/man1/man1/lib' [ Not found ]
[03:10:22] Checking for directory '/usr/man/man1/man1/lib/.lib' [ Not found ]
[03:10:22] Checking for directory '/usr/man/man1/man1/lib/.lib/.backup' [ Not found ]
[03:10:22] T0rn Rootkit [ Not found ]
[03:10:22]
[03:10:22] Checking for trNkit Rootkit...
[03:10:22] Checking for file '/usr/lib/libbins.la' [ Not found ]
[03:10:22] Checking for file '/usr/lib/libtcs.so' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/ulogin.sh' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/tcpshell.sh' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/bupdu' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/buloc' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/buloc1' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/buloc2' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/stat' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/backps' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/tree' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/topk' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/wold' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/whoold' [ Not found ]
[03:10:22] Checking for file '/dev/.ttpy/backdoors' [ Not found ]
[03:10:22] trNkit Rootkit [ Not found ]
[03:10:22]
[03:10:22] Checking for Trojanit Kit...
[03:10:23] Checking for file '/bin/.ls' [ Not found ]
[03:10:23] Checking for file '/bin/.ps' [ Not found ]
[03:10:23] Checking for file '/bin/.netstat' [ Not found ]
[03:10:23] Checking for file '/usr/bin/.nop' [ Not found ]
[03:10:23] Checking for file '/usr/bin/.who' [ Not found ]
[03:10:23] Trojanit Kit [ Not found ]
[03:10:23]
[03:10:23] Checking for Tuxtendo Rootkit...
[03:10:23] Checking for file '/lib/libproc.so.2.0.7' [ Not found ]
[03:10:23] Checking for file '/usr/bin/xchk' [ Not found ]
[03:10:23] Checking for file '/usr/bin/xsf' [ Not found ]
[03:10:23] Checking for file '/dev/tux/suidsh' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.addr' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.cron' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.file' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.log' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.proc' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.iface' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.pw' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.df' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.ssh' [ Not found ]
[03:10:23] Checking for file '/dev/tux/.tux' [ Not found ]
[03:10:23] Checking for file '/dev/tux/ssh2/sshd2_config' [ Not found ]
[03:10:23] Checking for file '/dev/tux/ssh2/hostkey' [ Not found ]
[03:10:23] Checking for file '/dev/tux/ssh2/hostkey.pub' [ Not found ]
[03:10:23] Checking for file '/dev/tux/ssh2/logo' [ Not found ]
[03:10:23] Checking for file '/dev/tux/ssh2/random_seed' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/crontab' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/df' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/dir' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/find' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/ifconfig' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/locate' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/netstat' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/ps' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/pstree' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/syslogd' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/tcpd' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/top' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/updatedb' [ Not found ]
[03:10:23] Checking for file '/dev/tux/backup/vdir' [ Not found ]
[03:10:23] Checking for directory '/dev/tux' [ Not found ]
[03:10:23] Checking for directory '/dev/tux/ssh2' [ Not found ]
[03:10:23] Checking for directory '/dev/tux/backup' [ Not found ]
[03:10:23] Tuxtendo Rootkit [ Not found ]
[03:10:23]
[03:10:23] Checking for URK Rootkit...
[03:10:23] Checking for file '/dev/prom/sn.l' [ Not found ]
[03:10:23] Checking for file '/usr/lib/ldlibps.so' [ Not found ]
[03:10:23] Checking for file '/usr/lib/ldlibnet.so' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/uconf.inv' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/cleaner' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/psniff' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/du' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/ls' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/passwd' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/ps' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/psr' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/su' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/find' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/netstat' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/ping' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/strings' [ Not found ]
[03:10:23] Checking for file '/dev/pts/01/bin/bash' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/du' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/ls' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/passwd' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/ps' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/psr' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/su' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/find' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/netstat' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/ping' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/strings' [ Not found ]
[03:10:23] Checking for file '/usr/man/man1/xxxxxxbin/bash' [ Not found ]
[03:10:23] Checking for file '/tmp/conf.inv' [ Not found ]
[03:10:24] Checking for directory '/dev/prom' [ Not found ]
[03:10:24] Checking for directory '/dev/pts/01' [ Not found ]
[03:10:24] Checking for directory '/dev/pts/01/bin' [ Not found ]
[03:10:24] Checking for directory '/usr/man/man1/xxxxxxbin' [ Not found ]
[03:10:24] URK Rootkit [ Not found ]
[03:10:24]
[03:10:24] Checking for Vampire Rootkit...
[03:10:24] Checking for kernel symbol 'new_getdents' [ Not found ]
[03:10:24] Checking for kernel symbol 'old_getdents' [ Not found ]
[03:10:24] Checking for kernel symbol 'should_hide_file_name' [ Not found ]
[03:10:24] Checking for kernel symbol 'should_hide_task_name' [ Not found ]
[03:10:24] Vampire Rootkit [ Not found ]
[03:10:24]
[03:10:24] Checking for VcKit Rootkit...
[03:10:24] Checking for directory '/usr/include/linux/modules/lib.so' [ Not found ]
[03:10:24] Checking for directory '/usr/include/linux/modules/lib.so/bin' [ Not found ]
[03:10:24] VcKit Rootkit [ Not found ]
[03:10:24]
[03:10:24] Checking for Volc Rootkit...
[03:10:24] Checking for file '/usr/bin/volc' [ Not found ]
[03:10:24] Checking for file '/usr/lib/volc/backdoor/divine' [ Not found ]
[03:10:24] Checking for file '/usr/lib/volc/linsniff' [ Not found ]
[03:10:24] Checking for file '/etc/rc.d/rc1.d/S25sysconf' [ Not found ]
[03:10:24] Checking for file '/etc/rc.d/rc2.d/S25sysconf' [ Not found ]
[03:10:24] Checking for file '/etc/rc.d/rc3.d/S25sysconf' [ Not found ]
[03:10:24] Checking for file '/etc/rc.d/rc4.d/S25sysconf' [ Not found ]
[03:10:24] Checking for file '/etc/rc.d/rc5.d/S25sysconf' [ Not found ]
[03:10:24] Checking for directory '/var/spool/.recent' [ Not found ]
[03:10:24] Checking for directory '/var/spool/.recent/.files' [ Not found ]
[03:10:24] Checking for directory '/usr/lib/volc' [ Not found ]
[03:10:24] Checking for directory '/usr/lib/volc/backup' [ Not found ]
[03:10:24] Volc Rootkit [ Not found ]
[03:10:24]
[03:10:24] Checking for Xzibit Rootkit...
[03:10:24] Checking for file '/dev/dsx' [ Not found ]
[03:10:24] Checking for file '/dev/caca' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/linsniffer' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/logclear' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/sense' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/sl2' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/sshdu' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/s' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/ssh_host_key' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/ssh_random_seed' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/sl2new.c' [ Not found ]
[03:10:24] Checking for file '/dev/ida/.inet/tcp.log' [ Not found ]
[03:10:24] Checking for file '/home/httpd/cgi-bin/becys.cgi' [ Not found ]
[03:10:24] Checking for file '/usr/local/httpd/cgi-bin/becys.cgi' [ Not found ]
[03:10:24] Checking for file '/usr/local/apache/cgi-bin/becys.cgi' [ Not found ]
[03:10:24] Checking for file '/www/httpd/cgi-bin/becys.cgi' [ Not found ]
[03:10:24] Checking for file '/www/cgi-bin/becys.cgi' [ Not found ]
[03:10:24] Checking for directory '/dev/ida/.inet' [ Not found ]
[03:10:24] Xzibit Rootkit [ Not found ]
[03:10:24]
[03:10:24] Checking for zaRwT.KiT Rootkit...
[03:10:24] Checking for file '/dev/rd/s/sendmeil' [ Not found ]
[03:10:24] Checking for file '/dev/ttyf' [ Not found ]
[03:10:24] Checking for file '/dev/ttyp' [ Not found ]
[03:10:24] Checking for file '/dev/ttyn' [ Not found ]
[03:10:24] Checking for file '/rk/tulz' [ Not found ]
[03:10:24] Checking for directory '/rk' [ Not found ]
[03:10:24] Checking for directory '/dev/rd/s' [ Not found ]
[03:10:24] zaRwT.KiT Rootkit [ Not found ]
[03:10:24]
[03:10:24] Checking for ZK Rootkit...
[03:10:24] Checking for file '/usr/share/.zk/zk' [ Not found ]
[03:10:24] Checking for file '/usr/X11R6/.zk/xfs' [ Not found ]
[03:10:24] Checking for file '/usr/X11R6/.zk/echo' [ Not found ]
[03:10:24] Checking for file '/etc/1ssue.net' [ Not found ]
[03:10:24] Checking for file '/etc/sysconfig/console/load.zk' [ Not found ]
[03:10:24] Checking for directory '/usr/share/.zk' [ Not found ]
[03:10:24] Checking for directory '/usr/X11R6/.zk' [ Not found ]
[03:10:24] ZK Rootkit [ Not found ]
[03:10:25]
[03:10:25] Info: Starting test name 'additional_rkts'
[03:10:25] Performing additional rootkit checks
[03:10:25]
[03:10:25] Performing Suckit Rookit additional checks
[03:10:25] Checking hard link count on '/sbin/init' [ OK ]
[03:10:25] Checking for hidden file extensions [ None found ]
[03:10:25] Running skdet command [ Skipped ]
[03:10:25] Info: Unable to find the 'skdet' command
[03:10:25] Suckit Rookit additional checks [ OK ]
[03:10:25]
[03:10:25] Info: Starting test name 'possible_rkt_files'
[03:10:25] Performing check of possible rootkit files and directories
[03:10:25] Checking for file '/dev/sdr0' [ Not found ]
[03:10:25] Checking for file '/dev/pisu' [ Not found ]
[03:10:25] Checking for file '/dev/xdta' [ Not found ]
[03:10:25] Checking for file '/dev/saux' [ Not found ]
[03:10:25] Checking for file '/dev/hdx' [ Not found ]
[03:10:25] Checking for file '/dev/hdx1' [ Not found ]
[03:10:25] Checking for file '/dev/hdx2' [ Not found ]
[03:10:25] Checking for file '/dev/ptyy' [ Not found ]
[03:10:25] Checking for file '/dev/ptyu' [ Not found ]
[03:10:25] Checking for file '/dev/ptyv' [ Not found ]
[03:10:25] Checking for file '/dev/hdbb' [ Not found ]
[03:10:25] Checking for file '/tmp/.syshackfile' [ Not found ]
[03:10:25] Checking for file '/tmp/.bash_history' [ Not found ]
[03:10:25] Checking for file '/usr/info/.clib' [ Not found ]
[03:10:25] Checking for file '/usr/sbin/tcp.log' [ Not found ]
[03:10:25] Checking for file '/usr/bin/take/pid' [ Not found ]
[03:10:25] Checking for file '/sbin/create' [ Not found ]
[03:10:25] Checking for file '/dev/ttypz' [ Not found ]
[03:10:25] Checking for file '/var/log/tcp.log' [ Not found ]
[03:10:25] Checking for file '/usr/include/audit.h' [ Not found ]
[03:10:25] Checking for file '/usr/bin/sourcemask' [ Not found ]
[03:10:25] Checking for file '/usr/bin/ras2xm' [ Not found ]
[03:10:25] Checking for file '/dev/xmx' [ Not found ]
[03:10:25] Checking for file '/usr/sbin/gpm.root' [ Not found ]
[03:10:25] Checking for file '/bin/vobiscum' [ Not found ]
[03:10:25] Checking for file '/bin/psr' [ Not found ]
[03:10:25] Checking for file '/dev/kdx' [ Not found ]
[03:10:25] Checking for file '/dev/dkx' [ Not found ]
[03:10:25] Checking for file '/usr/sbin/sshd3' [ Not found ]
[03:10:25] Checking for file '/usr/sbin/jcd' [ Not found ]
[03:10:25] Checking for file '/etc/rc.d/init.d/jcd' [ Not found ]
[03:10:25] Checking for file '/usr/sbin/atd2' [ Not found ]
[03:10:25] Checking for file '/home/httpd/cgi-bin/linux.cgi' [ Not found ]
[03:10:25] Checking for file '/home/httpd/cgi-bin/psid' [ Not found ]
[03:10:25] Checking for file '/home/httpd/cgi-bin/void.cgi' [ Not found ]
[03:10:25] Checking for file '/etc/rc.d/init.d/system' [ Not found ]
[03:10:25] Checking for file '/etc/rc.d/rc3.d/S93users' [ Not found ]
[03:10:25] Checking for file '/tmp/.ush' [ Not found ]
[03:10:25] Checking for file '/usr/lib/libhidefile.so' [ Not found ]
[03:10:25] Checking for file '/etc/cron.d/kmod' [ Not found ]
[03:10:25] Checking for file '/usr/lib/dmis/dmisd' [ Not found ]
[03:10:25] Checking for file '/lib/secure/libhij.so' [ Not found ]
[03:10:25] Checking for file '/usr/sbin/sshd3' [ Not found ]
[03:10:25] Checking for file '/etc/rc.d/init.d/crontab' [ Not found ]
[03:10:25] Checking for file '/etc/rc.d/init.d/jcd' [ Not found ]
[03:10:26] Checking for file '/usr/sbin/atd2' [ Not found ]
[03:10:26] Checking for file '/etc/rc.d/rc5.d/S93users' [ Not found ]
[03:10:26] Checking for file '/usr/include/mysql/mysql.hh1' [ Not found ]
[03:10:26] Checking for file '/etc/init.d/xfs3' [ Not found ]
[03:10:26] Checking for file '/usr/sbin/t.txt' [ Not found ]
[03:10:26] Checking for file '/usr/sbin/change' [ Not found ]
[03:10:26] Checking for file '/usr/sbin/s' [ Not found ]
[03:10:26] Checking for file '/bin/f' [ Not found ]
[03:10:26] Checking for file '/bin/i' [ Not found ]
[03:10:26] Checking for file '/lib/libncom.so.4.0.1' [ Not found ]
[03:10:26] Checking for file '/sbin/zinit' [ Not found ]
[03:10:26] Checking for file '/tmp/pass_ssh.log' [ Not found ]
[03:10:26] Checking for file '/usr/include/gpm2.h' [ Not found ]
[03:10:26] Checking for file '/etc/ssh/.sshd_auth' [ Not found ]
[03:10:26] Checking for file '/usr/lib/.sshd.h' [ Not found ]
[03:10:26] Checking for file '/var/run/.defunct' [ Not found ]
[03:10:26] Checking for file '/etc/httpd/run/.defunct' [ Not found ]
[03:10:26] Checking for file '/usr/share/pci.r' [ Not found ]
[03:10:26] Checking for file '/etc/cron.daily/dnsquery' [ Not found ]
[03:10:26] Checking for file '/usr/lib/libutil1.2.1.2.so' [ Not found ]
[03:10:26] Checking for file '/bin/ceva' [ Not found ]
[03:10:26] Checking for file '/sbin/syslogd ' [ Not found ]
[03:10:26] Checking for file '/usr/include/shup.h' [ Not found ]
[03:10:26] Checking for file '/etc/rpm/sshdOLD' [ Not found ]
[03:10:26] Checking for file '/etc/rpm/sshOLD' [ Not found ]
[03:10:26] Checking for file '/usr/share/passwd.h' [ Not found ]
[03:10:26] Checking for file '/lib/.xsyslog' [ Not found ]
[03:10:26] Checking for file '/etc/.xsyslog' [ Not found ]
[03:10:26] Checking for file '/lib/.ssyslog' [ Not found ]
[03:10:26] Checking for file '/tmp/.sendmail' [ Not found ]
[03:10:26] Checking for file '/usr/share/sshd.sync' [ Not found ]
[03:10:26] Checking for file '/bin/zcut' [ Not found ]
[03:10:26] Checking for file '/usr/bin/zmuie' [ Not found ]
[03:10:26] Checking for directory '/dev/ptyas' [ Not found ]
[03:10:26] Checking for directory '/usr/bin/take' [ Not found ]
[03:10:26] Checking for directory '/usr/src/.lib' [ Not found ]
[03:10:26] Checking for directory '/usr/share/man/man1/.1c' [ Not found ]
[03:10:26] Checking for directory '/lib/lblip.tk' [ Not found ]
[03:10:26] Checking for directory '/usr/sbin/...' [ Not found ]
[03:10:26] Checking for directory '/usr/share/.gun' [ Not found ]
[03:10:26] Checking for directory '/unde/vrei/tu/sa/te/ascunzi/in/server' [ Not found ]
[03:10:26] Checking for directory '/usr/man/man1/.. /.dir' [ Not found ]
[03:10:26] Checking for directory '/usr/X11R6/include/X11/...' [ Not found ]
[03:10:26] Checking for directory '/usr/X11R6/lib/X11/.fonts/misc/...' [ Not found ]
[03:10:26] Checking for directory '/tmp/.sys' [ Not found ]
[03:10:26] Checking for directory '/tmp/'' [ Not found ]
[03:10:26] Checking for directory '/tmp/.,' [ Not found ]
[03:10:26] Checking for directory '/tmp/,.,' [ Not found ]
[03:10:26] Checking for directory '/dev/shm/emilien' [ Not found ]
[03:10:26] Checking for directory '/var/tmp/.log' [ Not found ]
[03:10:26] Checking for directory '/tmp/zmeu/... ' [ Not found ]
[03:10:26] Checking for directory '/var/log/ssh' [ Not found ]
[03:10:27] Checking for directory '/dev/ida' [ Not found ]
[03:10:27] Checking for directory '/var/lib/games/.src/ssk/shit' [ Not found ]
[03:10:27] Checking for directory '/usr/lib/libshtift' [ Not found ]
[03:10:27] Checking for directory '/usr/src/.poop' [ Not found ]
[03:10:27] Checking for directory '/dev/wd4' [ Not found ]
[03:10:27] Checking for directory '/var/run/.tmp' [ Not found ]
[03:10:27] Checking for directory '/usr/man/man1/lib/.lib' [ Not found ]
[03:10:27] Checking for directory '/dev/portd' [ Not found ]
[03:10:27] Checking for directory '/dev/...' [ Not found ]
[03:10:27] Checking for directory '/usr/share/man/mansps' [ Not found ]
[03:10:27] Checking for directory '/lib/.so' [ Not found ]
[03:10:27] Checking for directory '/lib/.sso' [ Not found ]
[03:10:27] Checking for directory '/usr/include/sslv3' [ Not found ]
[03:10:27] Checking for directory '/dev/shm/sshd' [ Not found ]
[03:10:27] Checking for directory '/usr/share/locale/mk/.dev/sk' [ Not found ]
[03:10:27] Checking for directory '/usr/share/locale/mk/.dev' [ Not found ]
[03:10:27] Checking for directory '/usr/include/netda.h' [ Not found ]
[03:10:27] Checking for directory '/usr/include/.ssh' [ Not found ]
[03:10:27] Checking for directory '/usr/share/locale/jp/. ' [ Not found ]
[03:10:27] Checking for directory '/usr/share/.sqe' [ Not found ]
[03:10:27] Checking for possible rootkit files and directories [ None found ]
[03:10:27]
[03:10:27] Info: Starting test name 'possible_rkt_strings'
[03:10:27] Performing check for possible rootkit strings
[03:10:27] Info: Using system startup paths: /etc/rc.d /etc/inittab
[03:10:27] Checking for string 'LOGNAME=root' [ Not found ]
[03:10:27] Checking for string 'phalanx' [ Not found ]
[03:10:27] Checking for string '/dev/proc/fsck' [ Not found ]
[03:10:27] Checking for string 'fsck' [ Not found ]
[03:10:27] Checking for string 'backdoor' [ Not found ]
[03:10:27] Checking for string '/usr/bin/rcpc' [ Not found ]
[03:10:27] Checking for string '/usr/sbin/login' [ Not found ]
[03:10:27] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[03:10:27] Checking for string 'vt200' [ Not found ]
[03:10:27] Checking for string '/usr/bin/xstat' [ Not found ]
[03:10:27] Checking for string '/bin/envpc' [ Not found ]
[03:10:27] Checking for string 'L4m3r0x' [ Not found ]
[03:10:27] Checking for string '/lib/libext' [ Not found ]
[03:10:27] Checking for string '/usr/sbin/login' [ Not found ]
[03:10:27] Checking for string '/usr/lib/.tbd' [ Not found ]
[03:10:27] Checking for string 'sendmail' [ Not found ]
[03:10:27] Checking for string 'cocacola' [ Not found ]
[03:10:27] Checking for string 'joao' [ Not found ]
[03:10:27] Checking for string '/dev/ptyxx/.file' [ Not found ]
[03:10:27] Checking for string '/dev/ptyxx/.file' [ Not found ]
[03:10:27] Checking for string '/dev/sgk' [ Not found ]
[03:10:27] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[03:10:27] Checking for string '/usr/lib/.tbd' [ Not found ]
[03:10:27] Checking for string '/dev/proc/fsck' [ Not found ]
[03:10:28] Checking for string '/lib/.sso' [ Not found ]
[03:10:28] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[03:10:28] Checking for string '/dev/caca' [ Not found ]
[03:10:28] Checking for string '/dev/ttyoa' [ Not found ]
[03:10:28] Checking for string '/usr/lib/ldlibns.so' [ Not found ]
[03:10:28] Checking for string '/dev/ptyxx/.addr' [ Not found ]
[03:10:28] Checking for string 'syg' [ Not found ]
[03:10:28] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[03:10:28] Checking for string '/dev/pts/01' [ Not found ]
[03:10:28] Checking for string 'tw33dl3' [ Not found ]
[03:10:28] Checking for string 'psniff' [ Not found ]
[03:10:28] Checking for string 'uconf.inv' [ Not found ]
[03:10:28] Checking for string 'lib/ldlibps.so' [ Not found ]
[03:10:28] Checking for string '/usr/lib/ldlibpst.so' [ Not found ]
[03:10:28] Checking for string 'libproc.so.2.0.7' [ Not found ]
[03:10:28] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[03:10:28] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[03:10:28] Checking for string 'libproc.so.2.0.7' [ Not found ]
[03:10:28] Checking for string 'libproc.so.2.0.7' [ Not found ]
[03:10:28] Checking for string '/bin/bash' [ Not found ]
[03:10:28] Checking for string '/dev/ptyxx' [ Not found ]
[03:10:28] Checking for string '/.config' [ Not found ]
[03:10:28] Checking for string '\$.*\$\!.*\!\!\$' [ Not found ]
[03:10:28] Checking for string 'backdoor.h' [ Not found ]
[03:10:28] Checking for string 'backdoor_active' [ Not found ]
[03:10:28] Checking for string 'magic_pass_active' [ Not found ]
[03:10:28] Checking for string '/usr/include/gpm2.h' [ Not found ]
[03:10:28] Checking for string '/usr/include/openssl' [ Not found ]
[03:10:28] Checking for string 'aion' [ Not found ]
[03:10:28] Checking for string 'pcszPass' [ Not found ]
[03:10:28] Checking for string 'LogPass' [ Not found ]
[03:10:28] Checking for string 'Login_Check' [ Not found ]
[03:10:28] Checking for string 'includes.h' [ Not found ]
[03:10:28] Checking for string 'DecodeString' [ Not found ]
[03:10:28] Checking for string 'EncodeString' [ Not found ]
[03:10:28] Checking for string '/dev/xdta' [ Not found ]
[03:10:28] Checking for string '/usr/lib/.tbd' [ Not found ]
[03:10:29] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[03:10:29] Checking for string 'in.inetd' [ Not found ]
[03:10:29] Checking for string '#<HIDE_.*>' [ Not found ]
[03:10:29] Checking for string 'bin/xchk' [ Not found ]
[03:10:29] Checking for string 'bin/xsf' [ Not found ]
[03:10:29] Checking for string '/usr/bin/ssh2d' [ Not found ]
[03:10:29] Checking for string '/usr/sbin/xntps' [ Not found ]
[03:10:29] Checking for string 'ttyload' [ Not found ]
[03:10:29] Checking for string '/etc/rc.d/init.d/init' [ Not found ]
[03:10:29] Checking for string 'usr/bin/xfss' [ Not found ]
[03:10:30] Checking for string '/usr/sbin/rpc.netinet' [ Not found ]
[03:10:30] Checking for string '/usr/lib/.fx/cons.saver' [ Not found ]
[03:10:30] Checking for string '/usr/lib/.fx/xs' [ Not found ]
[03:10:30] Checking for string '/ssh2d' [ Not found ]
[03:10:30] Checking for string '/dev/kmod' [ Not found ]
[03:10:30] Checking for string '/crth.o' [ Not found ]
[03:10:30] Checking for string '/crtz.o' [ Not found ]
[03:10:30] Checking for string '/dev/dos' [ Not found ]
[03:10:30] Checking for string '/lpq' [ Not found ]
[03:10:30] Checking for string '/usr/sbin/rescue' [ Not found ]
[03:10:31] Checking for string '/usr/lib/lpstart' [ Not found ]
[03:10:31] Checking for string '/volc' [ Not found ]
[03:10:31] Checking for string 'sourcemask' [ Not found ]
[03:10:31] Checking for string '/bin/vobiscum' [ Not found ]
[03:10:31] Checking for string '/usr/sbin/in.telnet' [ Not found ]
[03:10:31] Checking for string '/usr/bin/hdparm?-t1?-X53?-p' [ Not found ]
[03:10:31] Checking for string '/lib/.xsyslog' [ Not found ]
[03:10:31] Checking for string '/etc/.xsyslog' [ Not found ]
[03:10:31] Checking for string '/lib/.ssyslog' [ Not found ]
[03:10:32] Checking for string '/tmp/.sendmail' [ Not found ]
[03:10:32] Checking for string '/lib/ldd.so/tkps' [ Not found ]
[03:10:32] Checking for string 't0rnkit' [ Not found ]
[03:10:32] Checking for string '/dev/proc/fsck' [ Not found ]
[03:10:32] Checking for string 'backdoor.h' [ Not found ]
[03:10:32] Checking for string 'backdoor_active' [ Not found ]
[03:10:32] Checking for string 'magic_pass_active' [ Not found ]
[03:10:32] Checking for string '/usr/include/gpm2.h' [ Not found ]
[03:10:32] Checking for string 'libproc.so.2.0.7' [ Not found ]
[03:10:32] Checking for string 'libproc.so.2.0.7' [ Not found ]
[03:10:32] Checking for string 'libproc.so.2.0.7' [ Not found ]
[03:10:32] Checking for string '/usr/lib/ldlibct.so' [ Not found ]
[03:10:32] Checking for string '/usr/lib/ldlibdu.so' [ Not found ]
[03:10:32] Checking for string '/dev/ptyxx/.file' [ Not found ]
[03:10:32] Checking for string 'libproc.so.2.0.7' [ Not found ]
[03:10:32] Checking for string '/dev/ida/.inet' [ Not found ]
[03:10:32] Checking for string '/usr/include/mysql/mysql.hh1' [ Not found ]
[03:10:32] Checking for string '/usr/include/mysql/mysql.hh1' [ Not found ]
[03:10:32] Checking for string '/usr/include/mysql/mysql.hh1' [ Not found ]
[03:10:32] Checking for string '/usr/include/mysql/mysql.hh1' [ Not found ]
[03:10:32] Checking for string '/usr/include/mysql/mysql.hh1' [ Not found ]
[03:10:32] Checking for string '/usr/include/mysql/mysql.hh1' [ Not found ]
[03:10:32] Checking for string 'backconnect' [ Not found ]
[03:10:32] Checking for string 'magic?packet?received' [ Not found ]
[03:10:32] Checking for possible rootkit strings [ None found ]
[03:10:32]
[03:10:32] Info: Starting test name 'malware'
[03:10:32] Performing malware checks
[03:10:32]
[03:10:32] Info: Test 'deleted_files' disabled at users request.
[03:10:32]
[03:10:32] Info: Starting test name 'running_procs'
[03:10:33] Checking running processes for suspicious files [ None found ]
[03:10:33]
[03:10:33] Info: Test 'hidden_procs' disabled at users request.
[03:10:33]
[03:10:33] Info: Test 'suspscan' disabled at users request.
[03:10:33]
[03:10:33] Info: Starting test name 'other_malware'
[03:10:33] Performing check for login backdoors
[03:10:33] Checking for '/bin/.login' [ Not found ]
[03:10:33] Checking for '/sbin/.login' [ Not found ]
[03:10:33] Checking for login backdoors [ None found ]
[03:10:33]
[03:10:33] Performing check for suspicious directories
[03:10:33] Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[03:10:33] Checking for directory '/dev/rd/cdb' [ Not found ]
[03:10:33] Checking for suspicious directories [ None found ]
[03:10:33]
[03:10:33] Checking for software intrusions [ Skipped ]
[03:10:33] Info: Check skipped - tripwire not installed
[03:10:33]
[03:10:33] Performing check for sniffer log files
[03:10:33] Checking for file '/usr/lib/libice.log' [ Not found ]
[03:10:33] Checking for file '/dev/prom/sn.l' [ Not found ]
[03:10:33] Checking for file '/dev/fd/.88/zxsniff.log' [ Not found ]
[03:10:33] Checking for sniffer log files [ None found ]
[03:10:33]
[03:10:33] Info: Starting test name 'trojans'
[03:10:33] Performing trojan specific checks
[03:10:33] Checking for enabled inetd services [ Skipped ]
[03:10:33] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[03:10:33]
[03:10:33] Performing check for enabled xinetd services
[03:10:33] Checking for enabled xinetd services [ Skipped ]
[03:10:33] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[03:10:33] Checking for Apache backdoor [ Not found ]
[03:10:33]
[03:10:33] Info: Starting test name 'os_specific'
[03:10:33] Performing Linux specific checks
[03:10:33] Checking loaded kernel modules [ OK ]
[03:10:33] Info: Using modules pathname of '/lib/modules/2.6.32-358.6.2.el6.x86_64'
[03:10:33] Checking kernel module names [ OK ]
[03:10:33]
[03:10:33] Info: Starting test name 'network'
[03:10:33] Checking the network...
[03:10:33]
[03:10:33] Performing checks on the network ports
[03:10:33] Info: Starting test name 'ports'
[03:10:33] Performing check for backdoor ports
[03:10:33] Checking for TCP port 1524 [ Not found ]
[03:10:33] Checking for TCP port 1984 [ Not found ]
[03:10:33] Checking for UDP port 2001 [ Not found ]
[03:10:33] Checking for TCP port 2006 [ Not found ]
[03:10:33] Checking for TCP port 2128 [ Not found ]
[03:10:33] Checking for TCP port 6666 [ Not found ]
[03:10:33] Checking for TCP port 6667 [ Not found ]
[03:10:33] Checking for TCP port 6668 [ Not found ]
[03:10:33] Checking for TCP port 6669 [ Not found ]
[03:10:33] Checking for TCP port 7000 [ Not found ]
[03:10:34] Checking for TCP port 13000 [ Not found ]
[03:10:34] Checking for TCP port 14856 [ Not found ]
[03:10:34] Checking for TCP port 25000 [ Not found ]
[03:10:34] Checking for TCP port 29812 [ Not found ]
[03:10:34] Checking for TCP port 31337 [ Not found ]
[03:10:34] Checking for TCP port 32982 [ Not found ]
[03:10:34] Checking for TCP port 33369 [ Not found ]
[03:10:34] Checking for TCP port 47107 [ Not found ]
[03:10:34] Checking for TCP port 47018 [ Not found ]
[03:10:34] Checking for TCP port 60922 [ Not found ]
[03:10:34] Checking for TCP port 62883 [ Not found ]
[03:10:34] Checking for TCP port 65535 [ Not found ]
[03:10:34] Checking for backdoor ports [ None found ]
[03:10:34]
[03:10:34] Info: Starting test name 'hidden_ports'
[03:10:34] Checking for hidden ports [ Skipped ]
[03:10:34] Info: Unable to find the 'unhide-tcp' command
[03:10:34]
[03:10:34] Performing checks on the network interfaces
[03:10:34] Info: Starting test name 'promisc'
[03:10:34] Checking for promiscuous interfaces [ None found ]
[03:10:34]
[03:10:34] Info: Test 'packet_cap_apps' disabled at users request.
[03:10:34]
[03:10:34] Info: Starting test name 'local_host'
[03:10:34] Checking the local host...
[03:10:34]
[03:10:34] Info: Starting test name 'startup_files'
[03:10:34] Performing system boot checks
[03:10:34] Checking for local host name [ Found ]
[03:10:34]
[03:10:34] Info: Starting test name 'startup_malware'
[03:10:34] Checking for system startup files [ Found ]
[03:10:35] Checking system startup files for malware [ None found ]
[03:10:35]
[03:10:35] Info: Starting test name 'group_accounts'
[03:10:35] Performing group and account checks
[03:10:35] Checking for passwd file [ Found ]
[03:10:35] Info: Found password file: /etc/passwd
[03:10:35] Checking for root equivalent (UID 0) accounts [ None found ]
[03:10:35] Info: Found shadow file: /etc/shadow
[03:10:35] Checking for passwordless accounts [ None found ]
[03:10:35]
[03:10:35] Info: Starting test name 'passwd_changes'
[03:10:35] Checking for passwd file changes [ None found ]
[03:10:35]
[03:10:35] Info: Starting test name 'group_changes'
[03:10:35] Checking for group file changes [ None found ]
[03:10:35] Checking root account shell history files [ OK ]
[03:10:35]
[03:10:35] Info: Starting test name 'system_configs'
[03:10:35] Performing system configuration file checks
[03:10:35] Checking for SSH configuration file [ Found ]
[03:10:35] Info: Found SSH configuration file: /etc/ssh/sshd_config
[03:10:35] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
[03:10:35] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[03:10:35] Checking if SSH root access is allowed [ Warning ]
[03:10:35] Warning: The SSH and rkhunter configuration options should be the same:
[03:10:35] SSH configuration option 'PermitRootLogin': no
[03:10:35] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
[03:10:35] Checking if SSH protocol v1 is allowed [ Not allowed ]
[03:10:35] Checking for running syslog daemon [ Found ]
[03:10:35] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[03:10:35] Checking for syslog configuration file [ Found ]
[03:10:35] Checking if syslog remote logging is allowed [ Not allowed ]
[03:10:35]
[03:10:35] Info: Starting test name 'filesystem'
[03:10:35] Performing filesystem checks
[03:10:35] Info: SCAN_MODE_DEV set to 'THOROUGH'
[03:10:35] Info: Found file '/dev/.udev/queue.bin': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:sda': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:sda1': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:sda3': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/net:eth1': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/net:eth0': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/input:event0': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/input:event1': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/input:event3': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/input:mouse1': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/input:event4': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/input:event2': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:sda2': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram15': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram0': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram12': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram4': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram10': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram11': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram9': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram8': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram5': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram6': it is whitelisted.
[03:10:35] Info: Found file '/dev/.udev/db/block:ram7': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:ram3': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop2': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop4': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop6': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop5': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:ram1': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:ram13': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:ram14': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop7': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop1': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:ram2': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop3': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/block:loop0': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/usb:1-1.2': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/usb:1-1': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/usb:2-1': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/usb:usb2': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/db/usb:usb1': it is whitelisted.
[03:10:36] Info: Found file '/dev/.udev/rules.d/99-root.rules': it is whitelisted.
[03:10:36] Checking /dev for suspicious file types [ None found ]
[03:10:36] Info: Found hidden directory '/dev/.mdadm': it is whitelisted.
[03:10:36] Info: Found hidden directory '/dev/.udev': it is whitelisted.
[03:10:36] Info: Found hidden file '/usr/share/man/man1/..1.gz': it is whitelisted.
[03:10:36] Info: Found hidden file '/usr/share/man/man5/.k5identity.5.gz': it is whitelisted.
[03:10:36] Info: Found hidden file '/usr/share/man/man5/.k5login.5.gz': it is whitelisted.
[03:10:36] Info: Found hidden file '/usr/bin/.ssh.hmac': it is whitelisted.
[03:10:36] Info: Found hidden file '/usr/bin/.fipscheck.hmac': it is whitelisted.
[03:10:36] Info: Found hidden file '/usr/sbin/.sshd.hmac': it is whitelisted.
[03:10:36] Info: Found hidden file '/sbin/.cryptsetup.hmac': it is whitelisted.
[03:10:36] Checking for hidden files and directories [ Warning ]
[03:10:36] Warning: Hidden file found: /etc/.named.conf.swp1: Vim swap file, version 7.2
[03:10:36]
[03:10:36] Info: Test 'apps' disabled at users request.
[03:10:36]
[03:10:36] System checks summary
[03:10:36] =====================
[03:10:36]
[03:10:36] File properties checks...
[03:10:36] Required commands check failed
[03:10:36] Files checked: 137
[03:10:36] Suspect files: 0
[03:10:36]
[03:10:36] Rootkit checks...
[03:10:36] Rootkits checked : 308
[03:10:36] Possible rootkits: 0
[03:10:36]
[03:10:36] Applications checks...
[03:10:36] All checks skipped
[03:10:36]
[03:10:36] The system checks took: 29 seconds
[03:10:36]
[03:10:36] Info: End date is Mon Sep 30 03:10:36 IST 2013

[/code]

I have now run the

[code]rkhunter --propupd[/code]

[agriz]

[code]
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites [ Warning ]
The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': no
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
Warning: Hidden file found: /etc/.named.conf.swp1: Vim swap file, version 7.2
[/code]

[vonskippy]

You don't "clean" a hacked server, you erase it completely and start fresh.

Then you patch it to date (especially your web framework), lock down access (with Iptables), get rid of remote root access, use certs not passwords, don't install apps you don't need, etc etc.

[agriz]

[quote]
vonskippy wrote:
You don't "clean" a hacked server, you erase it completely and start fresh.

Then you patch it to date (especially your web framework), lock down access (with Iptables), get rid of remote root access, use certs not passwords, don't install apps you don't need, etc etc.[/quote]

I understand.
I am planning to start a new server.

But i would like to track the problem in the server.
So, I can secure it in the future.

It will be great if you can provide some help.
So i can gain some knowledge.

[unspawn]

[quote]So i can gain some knowledge.[/quote]
With all due respect but in essence that knowledge should have been gained [i]before[/i] trying to admin a server.

[i]Security is a continuous process, requiring a layered approach, and emphasizing protection and prevention.[/i]


That means you should know how to use Linux (not through some web-based control panel), administer a server (common administrative tasks like user, service and network configuration, updating, auditing security, problem analysis and troubleshooting) and the same for whatever software runs in the web stack (like forum software, CMS, web log, shopping carts, photo galleries, statistics, web-based email, admin user interfaces). The problem with all of this is not in gaining the knowledge (CentOS and other software come with documentation) or practicing (make backups and just use a local virtual machine as staging host) but [i]having a responsible attitude towards things or not[/i].


[quote]But i would like to track the problem in the server.
So, I can secure it in the future.[/quote]
- Use the CERT Intruder Detection Checklist: http://web.archive.org/web/20080109214340/http://www.cert.org/tech_tips/intruder_detection_checklist.html to assess the state of your server. (Yes, it's ancient but still useful if you don't have a clue where to start.)
- Enumerate what software your server provides. For system software packages installed via RPM you can [code]rpm -Vva|grep -v '^\.\{8\}'[/code].
- For software installed from source you can often download the tar ball, unpack it in a safe directory and then diff its contents recursively with say your web servers docroot.
- If you know which web site it is you could try submitting a sample page to an on-line antivirus scanner, or use one of the resources mentioned at http://zeltser.com/reverse-malware/automated-malware-analysis.html and http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html.
- Rootkit Hunter won't help much with your type of problem but Linux Malware Detect (LMD) may help identify threats. (Note if you have ClamAV you can just use the two database files.)

So in short you've got a lot of reading and practicing to do. If you're willing to invest then you [i]will[/i] reap the rewards. Feel free to share your findings and ask detailed questions.

[agriz]

Thanks for the links. I am reading them.
I would not have learnt anything about linux if i haven't started to manage it.

I have disabled root login in ssh
I have changed the ssh port
I have blocked all the unused port in iptables
I have disabled the execution in tmp directory
I have disabled the execution in uploading directory
SELinux is causing problems with few softwares. I avoided those softwares and enabled SELinux.
I have removed and disabled unwanted default centos packages.
I don't have one open source control panel (webmin) for very few things.

I am installing only packages (even though they are old) which are available in yum.

Where can i have a perfect start for linux security?
Is there any place or any book which will give good linux and linux security knowledge for beginner?

Thanks for trying to help me.

[agriz]

I just installed clamav and scanned the site. There is no infected file.
But spamhaus is telling the domain is blacklisted.
The domain is in server hold because of malware.

But i am not able to find any malware.

[agriz]

Accepted password for user from xx.xx.xx.xx port xxxxx ssh2
Accepted password for user from xx.xx.xx.xx port yyyyy ssh2

i have set the ssh port as abcd
but why it is showing different port everytime?