Server Suddenly Loaded With Virii ?
As of a day or so ago my server started to act strange, CPU usage looked like it was being sucked up through a blackhole and the 100Mbit ethernet cards were getting more attention then usual.
I could use some help in figuring out what exactly is going on with the server, help would be very much appreciated.
I did a security audit on the server and came up with some results:
1)When running a vanilla scan with nmap localhost, I found out that nmap stopped working. In favour of this message:
####
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
sendto in send_ip_raw: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 40, 0, 127.0.0.1, 16) => Operation not permitted
####
This message was repeated constantly until I had to kill the process.
2) I run chkrootkit on my server once every 2-3 days and all the scans were always normal, but the latest scan appears to be very different than a normal chkrootkit scan...
#### (towards the end of the scan)
Checking `bindshell'... warning, got bogus tcp line.
warning, got bogus tcp line.
warning, got bogus tcp line.
warning, got bogus tcp line.
INFECTED (PORTS: 465)
Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... /proc/2833/fd: No such file or directory
/proc/2848/fd: No such file or directory
/proc/2849/fd: No such file or directory
eth0: not promisc and no PF_PACKET sockets
eth0:1: not promisc and no PF_PACKET sockets
eth0:0: not promisc and no PF_PACKET sockets
eth0:2: not promisc and no PF_PACKET sockets
eth0:3: not promisc and no PF_PACKET sockets
eth0:4: not promisc and no PF_PACKET sockets
eth0:5: not promisc and no PF_PACKET sockets
eth0:6: not promisc and no PF_PACKET sockets
eth0:7: not promisc and no PF_PACKET sockets
eth0:8: not promisc and no PF_PACKET sockets
eth0:9: not promisc and no PF_PACKET sockets
eth0:10: not promisc and no PF_PACKET sockets
Checking `slapper'... Warning: Possible Slapper Worm installed
#####
This is interesting, because slapper worm is old news, and apache 0.9 and on has fixed the issue with slapper (I'm running the latest build). Another thing is that port 465 SHOULD be blocked by the firewall yet I see this process:
/usr/sbin/exim -tls-on-connect -bd -oX 465
3) I am running APF Firewall with all but necessary ports open, and I am using the included anti-dos system.
4) I had an email, being opened in exim, which was using 47% and up RAM usage, and I killed the process and removed the email, but I was amazed that an email would use so many resources.
Any ideas's folks? My kernel is the latest build, and all my services are patched to the latest version. I am running Red Hat Enterprise 3.0ES, on a Dell PowerEdge server.
