has anyone ever heard of the spider?? i happen to lookinto some traffic logs thru my webalizer and clicked on one of the links and it happen to take me to a site that i can see all my processes and everybit of info on my server and that hes able to send spam from my server from the user "nobody" the site it is sent to is http://acp.ca/file/spider.txt? any ideas on how to catch him? thank you
radioactivecrew . org Anyone heard of them? they knew i whois'd them lol but now im getting it from this different site. Domain ID105317281-LROR Domain Name:RADIOACTIVECREW.ORG Created On:10-Dec-2004 08:30:53 UTC Last Updated On:09-Feb-2005 04:01:12 UTC Expiration Date:10-Dec-2014 08:30:53 UTC Sponsoring Registrar:Gandi SAS (R42-LROR) Status:OK Registrant ID:O-883573-GANDI Registrant Name:Radio Active Crew Registrant Organization:Radio Actice Crew Registrant Street1:Jl. Yang Lurus dan Benar 69 Registrant Street2: Registrant Street3: Registrant City:Bandung Registrant State/Province: Registrant Postal Code:40000 Registrant Country:ID Registrant Phone:+62.22250250 Registrant Phone Ext.: Registrant FAX:+62.22250250 Registrant FAX Ext.: Registrant Email:eb4aec4c2f7fbe0d74ab8cb325e72a9a-885362@owner.gandi.net Admin ID:RAC9-GANDI Admin Name:Radio Actice Crew Admin Street1:Jl. Yang Lurus dan Benar 69 Admin Street2: Admin Street3: Admin City:Bandung Admin State/Province: Admin Postal Code:40000 Admin Country:ID Admin Phone:+62.22250250 Admin Phone Ext.: Admin FAX:+62.22250250 Admin FAX Ext.: Admin Email:86ed99e12e5f81321fd7ad72f3ca96b5-rac9@contact.gandi.net Tech ID:RAC9-GANDI Tech Name:Radio Actice Crew Tech Street1:Jl. Yang Lurus dan Benar 69 Tech Street2: Tech Street3: Tech City:Bandung Tech State/Province: Tech Postal Code:40000 Tech Country:ID Tech Phone:+62.22250250 Tech Phone Ext.: Tech FAX:+62.22250250 Tech FAX Ext.: Tech Email:86ed99e12e5f81321fd7ad72f3ca96b5-rac9@contact.gandi.net Name Server:NS1.EVERYDNS.NET Name Server:NS2.EVERYDNS.NET any idea on how to get to someone in a different country?
if any of the security people would pm me i would be happy to give them the link they are using so you can see for yourself. thank you
You may have a shell exploit uploaded to your server. If you have root access to your server, you will need to tail the mail logs. This will take you to the source. Assuming your using exim tail -f /var/log/exim_mainlog Locking down your server plays a very big role in spam. You may want to look into getting your server administration team on it. If you would like, Trexhost.com offers server administration services with the sale of dedicated and reseller accounts.
If they're in your server (which it sounds like they are) then the only option which will bring you peace of mind is to wipe it clean and re-install the OS. However, if you just put the same OS back on the box with everything else configured in the same way, they will use the same exploit to get into your box again. You really need to find how they got in and make sure you patch that hole. If you can't find the hole, the next best thing is to upgrade everything to the latest revision (after re-installing) and continue to upgrade regularly. It can also be worthwhile looking at hardening your server with a product like SE Linux.