1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Help anyone

Discussion in 'Security' started by IRockHosting, Sep 15, 2007.

  1. #1
    has anyone ever heard of the spider??
    i happen to lookinto some traffic logs thru my webalizer and clicked on one of the links and it happen to take me to a site that i can see all my processes and everybit of info on my server and that hes able to send spam from my server from the user "nobody"


    the site it is sent to is http://acp.ca/file/spider.txt?


    any ideas on how to catch him?

    thank you
     
    IRockHosting, Sep 15, 2007 IP
  2. IRockHosting

    IRockHosting Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    radioactivecrew . org
    Anyone heard of them?

    they knew i whois'd them lol
    but now im getting it from this different site.

    Domain ID:D105317281-LROR
    Domain Name:RADIOACTIVECREW.ORG
    Created On:10-Dec-2004 08:30:53 UTC
    Last Updated On:09-Feb-2005 04:01:12 UTC
    Expiration Date:10-Dec-2014 08:30:53 UTC
    Sponsoring Registrar:Gandi SAS (R42-LROR)
    Status:OK
    Registrant ID:O-883573-GANDI
    Registrant Name:Radio Active Crew
    Registrant Organization:Radio Actice Crew
    Registrant Street1:Jl. Yang Lurus dan Benar 69
    Registrant Street2:
    Registrant Street3:
    Registrant City:Bandung
    Registrant State/Province:
    Registrant Postal Code:40000
    Registrant Country:ID
    Registrant Phone:+62.22250250
    Registrant Phone Ext.:
    Registrant FAX:+62.22250250
    Registrant FAX Ext.:
    Registrant Email:eb4aec4c2f7fbe0d74ab8cb325e72a9a-885362@owner.gandi.net
    Admin ID:RAC9-GANDI
    Admin Name:Radio Actice Crew
    Admin Street1:Jl. Yang Lurus dan Benar 69
    Admin Street2:
    Admin Street3:
    Admin City:Bandung
    Admin State/Province:
    Admin Postal Code:40000
    Admin Country:ID
    Admin Phone:+62.22250250
    Admin Phone Ext.:
    Admin FAX:+62.22250250
    Admin FAX Ext.:
    Admin Email:86ed99e12e5f81321fd7ad72f3ca96b5-rac9@contact.gandi.net
    Tech ID:RAC9-GANDI
    Tech Name:Radio Actice Crew
    Tech Street1:Jl. Yang Lurus dan Benar 69
    Tech Street2:
    Tech Street3:
    Tech City:Bandung
    Tech State/Province:
    Tech Postal Code:40000
    Tech Country:ID
    Tech Phone:+62.22250250
    Tech Phone Ext.:
    Tech FAX:+62.22250250
    Tech FAX Ext.:
    Tech Email:86ed99e12e5f81321fd7ad72f3ca96b5-rac9@contact.gandi.net
    Name Server:NS1.EVERYDNS.NET
    Name Server:NS2.EVERYDNS.NET


    any idea on how to get to someone in a different country?
     
    IRockHosting, Sep 16, 2007 IP
  3. IRockHosting

    IRockHosting Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    if any of the security people would pm me i would be happy to give them the link they are using so you can see for yourself.

    thank you
     
    IRockHosting, Sep 16, 2007 IP
  4. HostJail

    HostJail Active Member

    Messages:
    180
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    58
    #4
    You may have a shell exploit uploaded to your server. If you have root access to your server, you will need to tail the mail logs. This will take you to the source. Assuming your using exim
    tail -f /var/log/exim_mainlog

    Locking down your server plays a very big role in spam. You may want to look into getting your server administration team on it. If you would like, Trexhost.com offers server administration services with the sale of dedicated and reseller accounts.
     
    HostJail, Sep 18, 2007 IP
  5. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #5
    If they're in your server (which it sounds like they are) then the only option which will bring you peace of mind is to wipe it clean and re-install the OS.

    However, if you just put the same OS back on the box with everything else configured in the same way, they will use the same exploit to get into your box again.

    You really need to find how they got in and make sure you patch that hole. If you can't find the hole, the next best thing is to upgrade everything to the latest revision (after re-installing) and continue to upgrade regularly.

    It can also be worthwhile looking at hardening your server with a product like SE Linux.
     
    Ladadadada, Oct 5, 2007 IP