الاخوة الكرام
السلام عليكم ورحمة الله
الشركة وقفت السيرفر وقالت ان فيه موقع يستخدم البروكسي للدخول على موقع آخر وانا ماني فاهم الطبخه وهذه رسائل الشركة فمن يقدر يساعدني جزاكم الله خير.
------------------------------------------- نص الرسالة ----------------------------------
كود PHP:Either yourself or Fast Servers will need to identify and remove the source or secure this server to prevent malicious 3rd parties from using your server to perform such attacks.
The instructions below usually stops these types of attacks from being relayed from your server, however if there are backdoor PHP shells such as r57shell or c99shell installed in various directories, these instructions will be useless as the malicious person would be able to bypass these changes.
We always recommend a manual investigation with the use of the Exploit Removal Template provided below:
----------------------------------------
EXPLOIT REMOVAL INSTRUCTIONS ON NON-VPS SERVER (Linux/Unix):
1. Execute the following 3 command lines as root by copy/paste. This will harden files commonly abused to upload exploits and list possible exploits. This script only searches for possible exploits owned by the webserver username, but it is possible that exploits could have been uploaded by a current or previous user account to the searched directories. So, you still need to manually investigate all files in the searched directories even if the script returns no results. Possible exploits found should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the "xplts" file generated by these commands for later reference.
sh
echo -e "\tHARDEN"|tee xplts;for x in `which wget curl fetch lynx links`;do chown -vv 0:0 $x|tee -a xplts;chmod -vv 0550 $x|tee -a xplts;done;echo -e "\n\tSEARCH"|tee -a xplts;for x in "/tmp /var/tmp /dev/shm /usr/local/apache/proxy /var/spool /usr/games";do ls -loAFR $x 2>&-|grep -E "^/| apache | nobody | unknown | www | web | htdocs "|grep -E "^/|^[bcdlsp-]|\.pl$"|grep -Ev "sess_|dos-"|tee -a xplts;done;echo -e "\n\tSUMMARY";echo -e "Block File: \t\t`grep -Ev "^/" xplts|grep -E "^b"|wc -l|tr -d ' '`";echo -e "Character File: \t`grep -Ev "^/" xplts|grep -E "^c"|wc -l|tr -d ' '`";echo -e "Directory: \t\t`grep -Ev "^/" xplts|grep -E "^d"|wc -l|tr -d ' '`";echo -e "Symbolic Link: \t\t`grep -Ev "^/" xplts|grep -E "^l"|wc -l|tr -d ' '`";echo -e "Socket Link: \t\t`grep -Ev "^/" xplts|grep -E "^s"|wc -l|tr -d ' '`";echo -e "FIFO: \t\t\t`grep -Ev "^/" xplts|grep -E "^p"|wc -l|tr -d ' '`";echo -e "Regular File: \t\t`grep -Ev "^/" xplts|grep -E "^-"|wc -l|tr -d ' '`"
exit
2. You should also install and run rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html) which is a scanning tool to ensure you for about 99.9% you're clean of rootkits, backdoors, and local exploits. If any rootkits, backdoors, or local exploits are found by rkhunter, you must investigate further and remove them or submit a reload ticket at https://encompass.layeredtech.com and optionally request in the reload ticket to mount the existing drive as a slave for data recovery.
On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
On RedHat, Fedora, CentOS systems:
yum -y install rkhunter; rkhunter -c
رد مع اقتباس
