| Posted by Kaitlyn2004, 09-07-2010, 08:31 PM | | I have a unix server that was recently compromised. It seems to always run python processes which always end up being "sipscan".
I remove the folder that's running it and stop the processes, but then I later find various sipscan folders yet again, often in another location. I had a team secure the server but now they just keep saying my password might be compromised despite changing it.
Any ideas? Is there perhaps a "standard exploit" that is running this sipscan that I might be able to blocK?
|
| Posted by bear, 09-07-2010, 10:24 PM | | Strongly suggest you hire a better "team" to secure the server, and ask them to determine how they are getting in.
|
| Posted by Dregond Rahl, 09-07-2010, 11:51 PM | | If you have PHP on your server and it hasn't been hardened, it might be the most likely way they are getting in by injecting. You should get a security team to look over everything and remove all malicious files.
Is "sipscan" running as user or root?
|
| Posted by InstaCarma_Support, 09-08-2010, 12:16 AM | | Yes, you would have to try another team to secure and monitor the server.
Some of the important tips to strengthen the server are
Keep a strong password and change it periodically.
Disable root ssh access to the server.
Enable ssh on a non standard port.
Give proper permission to /tmp and /var/tmp.
Install a firewall.
|
| Posted by akasharya, 09-08-2010, 01:06 AM | | Have you checked in /tmp or /var/tmp if something suspicious is running there?
|
| Posted by Hillockhosting, 09-08-2010, 02:52 AM | | install apf and bfd
Use clamav virus scanner.
Check for malicious files
|
| Posted by Johnny Cache, 09-10-2010, 12:43 PM | | I would also recommend installing 'chkrootkit' and 'rkhunter' - in addition to ClamAV and /tmp directory hardening. If it's a cPanel box, you should install CSF/LFD too, so you can see where the activity is originating.
|
| Posted by Kaitlyn2004, 09-11-2010, 12:34 PM | | It is running as root through python
|
| Posted by ClaudiuPopescu, 09-11-2010, 01:25 PM | | There are a lot of ways to secure a server, if you don't know how I don't suggest doing it.
Ask your team what did they secure on your server and what did they checked.
Now as others suggested, you should do the following:
1. Install an automated firewall like CSF or APF
2. Change the ssh port, disable root login and password login (enable key auth.)
3. Install mod_security if you are using apache and php
4. Secure the server's config files (depending on what software you are using)
5. Update all your server's packages (kernel, networking packages like ftp, apache, and so on)
6. Run a few rootkit scanners on your servers (at this point I'm not sure that this will help at all)
|
| Posted by fwaggle, 09-11-2010, 01:37 PM | | If the server's rooted, backup and reinstall. It's not worth playing whack-a-mole with rootkits hoping you got everything.
|
|
 Add to Favourites
 Print this Article
|
