Malicious content on server - next steps advice [closed]

Posted by Under435 on Server Fault See other posts from Server Fault or by Under435
Published on 2012-09-30T20:09:33Z Indexed on 2012/09/30 21:39 UTC
Read the original article Hit count: 295

Filed under:
|
|

Possible Duplicate:
My server's been hacked EMERGENCY

I just got an e-mail from my hosting company that they got a report of malicious content being hosted on my vps. I was unaware of this and started looking into it. I discovered a file called /var/www/mysite.com/osc.htm.

Soon after I discovered some weird php files wp-includes.php and ndlist.php both recognized as being PHP/WebShell.A.1 virus.

I removed all these files but I'm unsure of what to do next. Can anyone help me analyze the output below of sudo netstat -A inet -p -e and give advice on what's best to do next.

Thanks very much in advance

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 localhost.localdo:mysql localhost.localdo:37495 TIME_WAIT   root       0           -               
tcp        0      1 mysite.com:50524   xnacreators.net:smtp         SYN_SENT    Debian-exim 69746       25848/exim4     
tcp        0      0 mysite.com:www     tha165.thehealtha:37065      TIME_WAIT   root       0           -               
tcp        0      0 localhost.localdo:37494 localhost.localdo:mysql TIME_WAIT   root       0           -               
udp        0      0 mysite.com:59447   merlin.ensma.fr:ntp          ESTABLISHED ntpd       3769        2522/ntpd       
udp        0      0 mysite.com:36432   beast.syus.org:ntp           ESTABLISHED ntpd       4357        2523/ntpd       
udp        0      0 mysite.com:48212   formularfetischiste:ntp      ESTABLISHED ntpd       3768        2522/ntpd       
udp        0      0 mysite.com:46690   formularfetischiste:ntp      ESTABLISHED ntpd       4354        2523/ntpd       
udp        0      0 mysite.com:35009   stratum-2-core-a.qu:ntp      ESTABLISHED ntpd       4356        2523/ntpd       
udp        0      0 mysite.com:58702   stratum-2-core-a.qu:ntp      ESTABLISHED ntpd       3770        2522/ntpd       
udp        0      0 mysite.com:49583   merlin.ensma.fr:ntp          ESTABLISHED ntpd       4355        2523/ntpd       
udp        0      0 mysite.com:56290   beast.syus.org:ntp           ESTABLISHED ntpd       3771        2522/ntpd  

© Server Fault or respective owner

Related posts about ubuntu-10.04

Related posts about virus