clinton4
Medlem
Postet denne på engelsk i et annet forum, så håper det går greit at jeg bare kopierer den inn her. Svar gjerne på norsk 
I am experiencing a strange behavior on one of my servers. The server is running CentOS 5.5 (Final) and Parallels Plesk Panel 9.5.4. I am the only one with access to the server and the server is only used for my own websites.
In the root folder i have found some PHP files which i have not uploaded myself. The files looks like they have been used to send out emails (se attached files). When i run "last" i see there has been a root login from a ip which is located in Italy (where i have never been). When i discovered this i changed my root password asap. I also added the following line in .bashcr:
echo "ALERT - Root access on:" `date` `who` | mail -s "ALERT: Root access on server 7" *********@gmail.com
So every time root login to the server, i get an email alert which contains the ip of the remote host. Now, i just recieved such alert and i have not logged into the server myself. Also the ip is located in another country then myself.
So i login to the server, change the password again and reboot the server. When the server comes back up i do "last root". But there i cannot find the unauthorised login that i just received an email alert about. Why do i not se this in the wtmp or wtmp.1 log?
After i added the command to .bashcr, i have experienced three unauthorised login. All with different root passwords. I always use a very strong password (min 10 chars/numbers/signs), so a bruteforce attack is eliminated. My question here is, how do they manage to keep logging in?
One thought was that i had som spyware on my computer, but i have scanned my computer with AVG and several other virus software and they did not find any.
I am experiencing a strange behavior on one of my servers. The server is running CentOS 5.5 (Final) and Parallels Plesk Panel 9.5.4. I am the only one with access to the server and the server is only used for my own websites.
In the root folder i have found some PHP files which i have not uploaded myself. The files looks like they have been used to send out emails (se attached files). When i run "last" i see there has been a root login from a ip which is located in Italy (where i have never been). When i discovered this i changed my root password asap. I also added the following line in .bashcr:
echo "ALERT - Root access on:" `date` `who` | mail -s "ALERT: Root access on server 7" *********@gmail.com
So every time root login to the server, i get an email alert which contains the ip of the remote host. Now, i just recieved such alert and i have not logged into the server myself. Also the ip is located in another country then myself.
So i login to the server, change the password again and reboot the server. When the server comes back up i do "last root". But there i cannot find the unauthorised login that i just received an email alert about. Why do i not se this in the wtmp or wtmp.1 log?
After i added the command to .bashcr, i have experienced three unauthorised login. All with different root passwords. I always use a very strong password (min 10 chars/numbers/signs), so a bruteforce attack is eliminated. My question here is, how do they manage to keep logging in?
One thought was that i had som spyware on my computer, but i have scanned my computer with AVG and several other virus software and they did not find any.
