OVH Community, your new community space.

Hackeo de KS16G. [Ayuda?]


rootnovato
16/09/2013, 15:00
Cita Publicado inicialmente por jack2
Te aclaro, no tengo un solo servidor con OVH, nuestros servidores están en datacenters que ofrecen servicio profesional, pero pago por ellos lo que cuestan, no pago 10 euros y espero el mejor servicio. Nos hospedo a clientes en datacenters como OVH, donde puede suceder cualquier cosa.

Por el servidor de menor costo que tengo es de us$212 y puedo mostrarte facturas, tengo gastos mensuales de alrededor de us$4900 en servidores. Por ejemplo pago us$270 por un E-1270 v3 con 32gb de ram y disco sas 300gb pero no he tenido ninguna incidencia en ese datacenter en los últimos 20 meses, cero problemas, no uso hardware de desktop, todo de clase enterprise.

Si algo sucede en el datacenter envío un ticket y en 3 minutos tengo respuesta. En cuestiones de hardware el cambio es en 2 horas, si un disco se daña simplemente me ayudan a clonarlo y en algunas horas tengo todo funcionando, pero pago por un servicio que cubre este costo.

No defiendo a OVH, tampoco me interesa defenderlo, solo puedo decir que no puedes pagar poco y esperar el mejor servicio.

Consulto este foro porque administramos servidores de algunos clientes que tienen contratados servidores con ovh.
Pues lo que nos faltaba ya... que venga alguien que no es cliente de OVH, y por tanto desconoce infinidad de detalles, a decirnos lo que podemos esperar o no.

Anda tira majete, vete a dar lecciones a quien te las pida.

pepejlr
15/09/2013, 23:38
Cita Publicado inicialmente por jack2
Por el servidor de menor costo que tengo es de us$212 y puedo mostrarte facturas, tengo gastos mensuales de alrededor de us$4900 en servidores. Por ejemplo pago us$270 por un E-1270 v3 con 32gb de ram y disco sas 300gb pero no he tenido ninguna incidencia en ese datacenter en los últimos 20 meses, cero problemas, no uso hardware de desktop, todo de clase enterprise.
Pagas por el soporte que quieres recibir. En los KS no pasa eso ya que el soporte no es prioritario, ahora quizás, desgraciadamente, ha empeorado el soporte en el tema de cambio de hardware. No me interesa pagar un mes completo si tengo el servidor caido 2 dias a la espera de que me cambien un disco duro y encima no me recompensen ese tiempo de inactividad. A grandes problemas, grandes remedios. No pagas soporte pero en ese caso te tienes que buscar la vida con la redundacia de servicios, programa de backup manual, etc. En ese aspecto prefiero tener todo el control yo.

Pero no tiene nada que ver con la estabilidad de un datacenter entero. Los centros de datos que tienen OVH me parecen excelentes y muy buenos. Su red IP es también excelente. Llevo 1 año con este KS y nunca ha tenido una caida excepto cuando hay una incidencia masiva en el data, que en mi caso, solo me ha pasado con la famosa caida del backone.

jack2
15/09/2013, 23:11
Cita Publicado inicialmente por rootnovato
Esto ya lo sabemos todos, no hace falta que venga ningún usuario a recordarlo. OVH ya se sabe defender solita.

Seguro que tfwfactory se refiere a la nula colaboración por parte de OVH en la detección y bloqueo de servidores de gente que los usa únicamente para fines maliciosos. Actualmente si recibes un ataque desde un servidor de otro cliente de OVH, no sirve de nada que lo comuniques pues no hacen ni media...

Ya veremos si te pasa algo parecido un día a ti si vienes al foro a sacar la cara a OVH recordando obviedades.
Te aclaro, no tengo un solo servidor con OVH, nuestros servidores están en datacenters que ofrecen servicio profesional, pero pago por ellos lo que cuestan, no pago 10 euros y espero el mejor servicio. Nos hospedo a clientes en datacenters como OVH, donde puede suceder cualquier cosa.

Por el servidor de menor costo que tengo es de us$212 y puedo mostrarte facturas, tengo gastos mensuales de alrededor de us$4900 en servidores. Por ejemplo pago us$270 por un E-1270 v3 con 32gb de ram y disco sas 300gb pero no he tenido ninguna incidencia en ese datacenter en los últimos 20 meses, cero problemas, no uso hardware de desktop, todo de clase enterprise.

Si algo sucede en el datacenter envío un ticket y en 3 minutos tengo respuesta. En cuestiones de hardware el cambio es en 2 horas, si un disco se daña simplemente me ayudan a clonarlo y en algunas horas tengo todo funcionando, pero pago por un servicio que cubre este costo.

No defiendo a OVH, tampoco me interesa defenderlo, solo puedo decir que no puedes pagar poco y esperar el mejor servicio.

Consulto este foro porque administramos servidores de algunos clientes que tienen contratados servidores con ovh.

pepejlr
15/09/2013, 21:47
La política de OVH de dar un servicio 100% no administrado yo lo veo una ventaja sinceramente.

Bastantes facilidades nos da OVH en la administración del servidor en torno a los reinicios, reinstalaciones, DNS secundarias... Como para que también tenga que gastar personal en detectar problemas que el dueño deberia detectar. Yo no he estudiado para ser sysadmin pero creo que con un poco de aprendizaje se puede hacer muchas cosas en torno a la seguridad de un servidor dedicado. En ese aspecto me gusta que si OVH me ponga el servidor en rescue me joda y aprenda y detecte por mi mismo el error. A la fuerza aprendemos todos y si manejar un dedicado tu solo te viene muy grande, pues mira, por soluciones en otras empresas que se dediquen a administrar el servidor como el cliente exija que no quede, pero venir aqui a pedir no me parece lo correcto.

Con los precios que ofrecen en KS por qué deberian detectar qué es lo que falla exactamente a nivel de software?

tfwfactory
15/09/2013, 18:26
Efectivamente , a día de hoy OVH no ayuda en nada , para nosotros es tal el tema de OVH que lo descartamos de cara a ofrecer un servicio manejado o sin manejar , ahroa mismo estamos mirando otras opciones , puesto que para nadie que maneje muchos servidores sirve , o bien puede volverse loco , el principal miedo transmitido por cliente acerca de OVH es el cierre sin motivos , mucha gente tiene pánico a la sola idea de tener que volver a ponerlo todo porque si , la excusa es de lo más barato

Por eso hay otras opciones que estamos testeando y que desde luego nos da igual si es menester tener que pagar un poco más , no se pide que nos resuelvan la vida , no se pide que intervengan en los servidores , se pide que dejen de poner excusas cuando hay un problema , si una empresa es grande por tener montones de clientes de poco valor añadido y que en muchos casos se dedican a practicas ilegales o que agreden a servidores externos , es su problema , el caso es qeu el nivel de ataques que sufren los servidores en la red de OVH tiene traca y mucha

OVH se debería de preocupar por cuidar a sus clientes , a esos que ya llevan más de un año o más de 5 o mucho más con ellos , no los fideliza y los trata como cualquier porquería que hay por ahí adelante , a veces no es el dinero , es el darse a valorar como cliente y como usuario , que merece algo más , un cliente trae a otro y no es que un servidor valga 3 euros , el precio quien lo pone ? , hay muchos servicios que suponen un afiliado y dan lo que prometen con el coste indicado

A nosotros nos da y mucha pena ver un cliente o usuario auténticamente desesperado de ver su sitio web tumbado pq había una auténtica chorrada de linea en un wordpress que emitía una tontería de conexión que no afectaba a nadie , pero los de OVH decidieron sin ningún tipo de dolor de corazón tumbarle durante una semana el servidor sin posibilidad de recuperar dato alguno

Podemos contar casos como estos a patadas , el problema es que ya la vida , ya los negocios , ya las obligaciones y responsabilidades son muchas como para no saber si una persona se levanta y si alguien de OVH ha decidido que hay un Hacking y decide apretar el botón , tenemos experiencia en otros proveedores y puede que no tengan la capacidad de poner 3000 servidores a 3 dólares o euros cada semana , pero tienen una cosa respeto por el cliente y dedicación , aqui la política es se van 3000 da igual hay 50000 más

Da y mucha pena ver el trabajo de cualquier persona tirado por los suelos o destruido y al menos a nosotros como personas si nos molesta ver a muchos clientes muy fastidiados por esto , que si que son servidores manejados , muy bien , por eso mismo , menos meterse en lo privado y menos aludir a la red de OVH que en realidad está bastante mal y afectada en muchos casos , por lo pronto que hablen de las diferencias de redes entre un servidor KS o uno profesional , existen ? pues no y como eso muchas cosas

Que conste que estábamos muy bien en OVH , pero la incertidumbre nos hace mirar para otros lares ya que asi no se puede estar desde luego y tampoco nadie de OVH viene para dar un voto de confianza al cliente , es que aqui hay muchas personas que son clientes y merecen un respeto señores , lo otro , lo obvio ya lo sabemos , OVH pasa de todo y le importa poco si te duele o les duele o no , simplemente , pero desde luego los de OVH Hispano no pintan nada en OVH está más que comprobado qeu solo son delegados orales de lo que dicen en Francia y que a los de Francia poco les importa , ellos rompen y rasgan y todo lo demás es indiferente , al final va a ser cierto lo que decían que los de OVH España aguanta carros y carretas sin tener porque

Políticas de empresa las llaman , bueno que sigan , esperamos que fuegox como otros sigan bien con sus servidores o mucho cambian las cosas con OVH o que cuenten con varias bajas de servidores , esperaremos al mes de Octubre a ver si se da la estabilidad sino es mejor contratar servicios con otros datacenter que si ofrecen garantias , proximidad con el cliente y un largo , etc , esto comienza a ser tan cutre como los servidores que llevamos esperando hace 2 meses , saludos y perdón por la chapa , es un desahogo de lo que pienso y pensamos en general

rootnovato
15/09/2013, 17:54
Cita Publicado inicialmente por jack2
OVH es un servicio no manejado y no podría darte soporte sobre software y mucho menos pagando lo que se paga por este tipo de servidores.
Esto ya lo sabemos todos, no hace falta que venga ningún usuario a recordarlo. OVH ya se sabe defender solita.

Seguro que tfwfactory se refiere a la nula colaboración por parte de OVH en la detección y bloqueo de servidores de gente que los usa únicamente para fines maliciosos. Actualmente si recibes un ataque desde un servidor de otro cliente de OVH, no sirve de nada que lo comuniques pues no hacen ni media...

Ya veremos si te pasa algo parecido un día a ti si vienes al foro a sacar la cara a OVH recordando obviedades.

jack2
15/09/2013, 13:28
OVH es un servicio no manejado y no podría darte soporte sobre software y mucho menos pagando lo que se paga por este tipo de servidores.

tfwfactory
15/09/2013, 12:37
Bueno una pena , espero que lo solucionases al final , es una lástima que desde OVH no den la ayuda necesaria y la gente tenga que volverse loca , más teniendo en cuenta que en cierta forma no es culpa suya , también la red de OVH tiene mucha culpa y está llena hasta los topes de gente con propósitos nada buenos , más bien deberían mirar a quien tienen dentro , espero que lo tengas todo resuelto , saludos

fuegox
15/09/2013, 11:49
Cita Publicado inicialmente por tfwfactory
Yo me fijaría en esto :

[06:31:13] Checking for SSH configuration file [ Found ]
[06:31:13] Info: Found SSH configuration file: /etc/ssh/sshd_config
[06:31:13] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[06:31:13] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[06:31:13] Checking if SSH root access is allowed [ Warning ]
[06:31:13] Warning: The SSH and rkhunter configuration options should be the same:
[06:31:13] SSH configuration option 'PermitRootLogin': yes
[06:31:13] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[06:31:13] Checking if SSH protocol v1 is allowed [ Not allowed ]
[06:31:13] Checking for running syslog daemon [ Found ]
[06:31:13] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[06:31:13] Checking for syslog configuration file [ Found ]
[06:31:14] Checking if syslog remote logging is allowed [ Not allowed ]
[06:31:14]
[06:31:14] Info: Starting test name 'filesystem'
[06:31:14] Performing filesystem checks
[06:31:14] Info: SCAN_MODE_DEV set to 'THOROUGH'
[06:31:14] Checking /dev for suspicious file types [ None found ]
[06:31:14] Checking for hidden files and directories [ Warning ]
[06:31:14] Warning: Hidden directory found: /etc/.java
[06:31:14] Warning: Hidden directory found: /dev/.udev



Securiza el sistema de SSH para evitar accesos root , cambia ese nombre y revisa ese posible proceso de java para ver si pueden utilizar una consola de java para lanzar ataques , instala csf y bloquea los puertos UDP , asi luego puedes seguir viendo si hay algún problema , revisa también las carpeta cgi-bin de los dominios y mira si están vacias o no


Un saludo y mucha suerte y cuentanos a todos como va la cosa

Pues la cosa ha ido jodida.. Tal que me han puesto esta madrugada el servidor en modo rescue, bloqueado con advertencia, lo desbloquée, reinicie en modo rescue para entrar SSH, ize backup y reinstalé en Debian 7.

Gracias por la ayuda ^^

tfwfactory
14/09/2013, 13:43
Yo me fijaría en esto :

[06:31:13] Checking for SSH configuration file [ Found ]
[06:31:13] Info: Found SSH configuration file: /etc/ssh/sshd_config
[06:31:13] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[06:31:13] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[06:31:13] Checking if SSH root access is allowed [ Warning ]
[06:31:13] Warning: The SSH and rkhunter configuration options should be the same:
[06:31:13] SSH configuration option 'PermitRootLogin': yes
[06:31:13] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[06:31:13] Checking if SSH protocol v1 is allowed [ Not allowed ]
[06:31:13] Checking for running syslog daemon [ Found ]
[06:31:13] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[06:31:13] Checking for syslog configuration file [ Found ]
[06:31:14] Checking if syslog remote logging is allowed [ Not allowed ]
[06:31:14]
[06:31:14] Info: Starting test name 'filesystem'
[06:31:14] Performing filesystem checks
[06:31:14] Info: SCAN_MODE_DEV set to 'THOROUGH'
[06:31:14] Checking /dev for suspicious file types [ None found ]
[06:31:14] Checking for hidden files and directories [ Warning ]
[06:31:14] Warning: Hidden directory found: /etc/.java
[06:31:14] Warning: Hidden directory found: /dev/.udev



Securiza el sistema de SSH para evitar accesos root , cambia ese nombre y revisa ese posible proceso de java para ver si pueden utilizar una consola de java para lanzar ataques , instala csf y bloquea los puertos UDP , asi luego puedes seguir viendo si hay algún problema , revisa también las carpeta cgi-bin de los dominios y mira si están vacias o no


Un saludo y mucha suerte y cuentanos a todos como va la cosa

jack2
14/09/2013, 13:37
Si fue comprometido el servidor lo mejor es reinstalar todo, inicialmente cambia el puerto de SSH, corre maldetect

fuegox
14/09/2013, 07:01
En fin.. Lo dicho por alguna movida o razón me han colado algo ya que he encontrado 2 .sh para hacer ataques UDP desde mi máquina. Los he borrado
y he instalado el rkhunter, alguno puede indicarme como interpretar esto ?


[06:30:42] Checking for file '/usr/man/man1/xxxxxxbin/bash' [ Not found ]
[06:30:42] Checking for file '/tmp/conf.inv' [ Not found ]
[06:30:42] Checking for directory '/dev/prom' [ Not found ]
[06:30:42] Checking for directory '/dev/pts/01' [ Not found ]
[06:30:42] Checking for directory '/dev/pts/01/bin' [ Not found ]
[06:30:42] Checking for directory '/usr/man/man1/xxxxxxbin' [ Not found ]
[06:30:42] URK Rootkit [ Not found ]
[06:30:42]
[06:30:42] Checking for Vampire Rootkit...
[06:30:42] Checking for kernel symbol 'new_getdents' [ Not found ]
[06:30:42] Checking for kernel symbol 'old_getdents' [ Not found ]
[06:30:42] Checking for kernel symbol 'should_hide_file_name' [ Not found ]
[06:30:42] Checking for kernel symbol 'should_hide_task_name' [ Not found ]
[06:30:42] Vampire Rootkit [ Not found ]
[06:30:42]
[06:30:42] Checking for VcKit Rootkit...
[06:30:42] Checking for directory '/usr/include/linux/modules/lib.so' [ Not found ]
[06:30:42] Checking for directory '/usr/include/linux/modules/lib.so/bin' [ Not found ]
[06:30:42] VcKit Rootkit [ Not found ]
[06:30:42]
[06:30:42] Checking for Volc Rootkit...
[06:30:42] Checking for file '/usr/bin/volc' [ Not found ]
[06:30:42] Checking for file '/usr/lib/volc/backdoor/divine' [ Not found ]
[06:30:42] Checking for file '/usr/lib/volc/linsniff' [ Not found ]
[06:30:42] Checking for file '/etc/rc.d/rc1.d/S25sysconf' [ Not found ]
[06:30:43] Checking for file '/etc/rc.d/rc2.d/S25sysconf' [ Not found ]
[06:30:43] Checking for file '/etc/rc.d/rc3.d/S25sysconf' [ Not found ]
[06:30:43] Checking for file '/etc/rc.d/rc4.d/S25sysconf' [ Not found ]
[06:30:43] Checking for file '/etc/rc.d/rc5.d/S25sysconf' [ Not found ]
[06:30:43] Checking for directory '/var/spool/.recent' [ Not found ]
[06:30:43] Checking for directory '/var/spool/.recent/.files' [ Not found ]
[06:30:43] Checking for directory '/usr/lib/volc' [ Not found ]
[06:30:43] Checking for directory '/usr/lib/volc/backup' [ Not found ]
[06:30:43] Volc Rootkit [ Not found ]
[06:30:43]
[06:30:43] Checking for Xzibit Rootkit...
[06:30:43] Checking for file '/dev/dsx' [ Not found ]
[06:30:43] Checking for file '/dev/caca' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/linsniffer' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/logclear' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/sense' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/sl2' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/sshdu' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/s' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/ssh_host_key' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/ssh_random_seed' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/sl2new.c' [ Not found ]
[06:30:43] Checking for file '/dev/ida/.inet/tcp.log' [ Not found ]
[06:30:43] Checking for file '/home/httpd/cgi-bin/becys.cgi' [ Not found ]
[06:30:43] Checking for file '/usr/local/httpd/cgi-bin/becys.cgi' [ Not found ]
[06:30:43] Checking for file '/usr/local/apache/cgi-bin/becys.cgi' [ Not found ]
[06:30:43] Checking for file '/www/httpd/cgi-bin/becys.cgi' [ Not found ]
[06:30:43] Checking for file '/www/cgi-bin/becys.cgi' [ Not found ]
[06:30:43] Checking for directory '/dev/ida/.inet' [ Not found ]
[06:30:43] Xzibit Rootkit [ Not found ]
[06:30:43]
[06:30:43] Checking for X-Org SunOS Rootkit...
[06:30:43] Checking for file '/usr/lib/libX.a/bin/tmpfl' [ Not found ]
[06:30:43] Checking for file '/usr/lib/libX.a/bin/rps' [ Not found ]
[06:30:43] Checking for file '/usr/bin/srload' [ Not found ]
[06:30:43] Checking for file '/usr/lib/libX.a/bin/sparcv7/rps' [ Not found ]
[06:30:43] Checking for file '/usr/sbin/modcheck' [ Not found ]
[06:30:43] Checking for directory '/usr/lib/libX.a' [ Not found ]
[06:30:43] Checking for directory '/usr/lib/libX.a/bin' [ Not found ]
[06:30:43] Checking for directory '/usr/lib/libX.a/bin/sparcv7' [ Not found ]
[06:30:44] Checking for directory '/usr/share/man...' [ Not found ]
[06:30:44] X-Org SunOS Rootkit [ Not found ]
[06:30:44]
[06:30:44] Checking for zaRwT.KiT Rootkit...
[06:30:44] Checking for file '/dev/rd/s/sendmeil' [ Not found ]
[06:30:44] Checking for file '/dev/ttyf' [ Not found ]
[06:30:44] Checking for file '/dev/ttyp' [ Not found ]
[06:30:44] Checking for file '/dev/ttyn' [ Not found ]
[06:30:44] Checking for file '/rk/tulz' [ Not found ]
[06:30:44] Checking for directory '/rk' [ Not found ]
[06:30:44] Checking for directory '/dev/rd/s' [ Not found ]
[06:30:44] zaRwT.KiT Rootkit [ Not found ]
[06:30:44]
[06:30:44] Checking for ZK Rootkit...
[06:30:44] Checking for file '/usr/share/.zk/zk' [ Not found ]
[06:30:44] Checking for file '/usr/X11R6/.zk/xfs' [ Not found ]
[06:30:44] Checking for file '/usr/X11R6/.zk/echo' [ Not found ]
[06:30:44] Checking for file '/etc/1ssue.net' [ Not found ]
[06:30:44] Checking for file '/etc/sysconfig/console/load.zk' [ Not found ]
[06:30:44] Checking for directory '/usr/share/.zk' [ Not found ]
[06:30:44] Checking for directory '/usr/X11R6/.zk' [ Not found ]
[06:30:44] ZK Rootkit [ Not found ]
[06:30:44]
[06:30:44] Info: Starting test name 'additional_rkts'
[06:30:44] Performing additional rootkit checks
[06:30:44]
[06:30:44] Performing Suckit Rookit additional checks
[06:30:44] Checking hard link count on '/sbin/init' [ OK ]
[06:30:44] Checking for hidden file extensions [ None found ]
[06:30:44] Running skdet command [ Skipped ]
[06:30:44] Info: Unable to find the 'skdet' command
[06:30:44] Suckit Rookit additional checks [ OK ]
[06:30:44]
[06:30:44] Info: Starting test name 'possible_rkt_files'
[06:30:44] Performing check of possible rootkit files and directories
[06:30:44] Checking for file '/dev/sdr0' [ Not found ]
[06:30:44] Checking for file '/dev/pisu' [ Not found ]
[06:30:44] Checking for file '/dev/xdta' [ Not found ]
[06:30:44] Checking for file '/dev/saux' [ Not found ]
[06:30:44] Checking for file '/dev/hdx' [ Not found ]
[06:30:45] Checking for file '/dev/hdx1' [ Not found ]
[06:30:45] Checking for file '/dev/hdx2' [ Not found ]
[06:30:45] Checking for file '/dev/ptyy' [ Not found ]
[06:30:45] Checking for file '/dev/ptyu' [ Not found ]
[06:30:45] Checking for file '/dev/ptyv' [ Not found ]
[06:30:45] Checking for file '/dev/hdbb' [ Not found ]
[06:30:45] Checking for file '/tmp/.syshackfile' [ Not found ]
[06:30:45] Checking for file '/tmp/.bash_history' [ Not found ]
[06:30:45] Checking for file '/usr/info/.clib' [ Not found ]
[06:30:45] Checking for file '/usr/sbin/tcp.log' [ Not found ]
[06:30:45] Checking for file '/usr/bin/take/pid' [ Not found ]
[06:30:45] Checking for file '/sbin/create' [ Not found ]
[06:30:45] Checking for file '/dev/ttypz' [ Not found ]
[06:30:45] Checking for file '/var/log/tcp.log' [ Not found ]
[06:30:45] Checking for file '/usr/include/audit.h' [ Not found ]
[06:30:45] Checking for file '/usr/bin/sourcemask' [ Not found ]
[06:30:45] Checking for file '/usr/bin/ras2xm' [ Not found ]
[06:30:45] Checking for file '/dev/xmx' [ Not found ]
[06:30:45] Checking for file '/usr/sbin/gpm.root' [ Not found ]
[06:30:45] Checking for file '/bin/vobiscum' [ Not found ]
[06:30:45] Checking for file '/bin/psr' [ Not found ]
[06:30:45] Checking for file '/dev/kdx' [ Not found ]
[06:30:45] Checking for file '/dev/dkx' [ Not found ]
[06:30:45] Checking for file '/usr/sbin/sshd3' [ Not found ]
[06:30:45] Checking for file '/usr/sbin/jcd' [ Not found ]
[06:30:45] Checking for file '/etc/rc.d/init.d/jcd' [ Not found ]
[06:30:45] Checking for file '/usr/sbin/atd2' [ Not found ]
[06:30:45] Checking for file '/home/httpd/cgi-bin/linux.cgi' [ Not found ]
[06:30:45] Checking for file '/home/httpd/cgi-bin/psid' [ Not found ]
[06:30:46] Checking for file '/home/httpd/cgi-bin/void.cgi' [ Not found ]
[06:30:46] Checking for file '/etc/rc.d/init.d/system' [ Not found ]
[06:30:46] Checking for file '/etc/rc.d/rc3.d/S93users' [ Not found ]
[06:30:46] Checking for file '/tmp/.ush' [ Not found ]
[06:30:46] Checking for file '/usr/lib/libhidefile.so' [ Not found ]
[06:30:46] Checking for file '/etc/cron.d/kmod' [ Not found ]
[06:30:46] Checking for file '/usr/lib/dmis/dmisd' [ Not found ]
[06:30:46] Checking for file '/lib/secure/libhij.so' [ Not found ]
[06:30:46] Checking for file '/usr/sbin/sshd3' [ Not found ]
[06:30:46] Checking for file '/etc/rc.d/init.d/crontab' [ Not found ]
[06:30:46] Checking for file '/etc/rc.d/init.d/jcd' [ Not found ]
[06:30:46] Checking for file '/usr/sbin/atd2' [ Not found ]
[06:30:46] Checking for file '/etc/rc.d/rc5.d/S93users' [ Not found ]
[06:30:46] Checking for directory '/dev/ptyas' [ Not found ]
[06:30:46] Checking for directory '/usr/bin/take' [ Not found ]
[06:30:46] Checking for directory '/usr/src/.lib' [ Not found ]
[06:30:46] Checking for directory '/usr/share/man/man1/.1c' [ Not found ]
[06:30:46] Checking for directory '/lib/lblip.tk' [ Not found ]
[06:30:46] Checking for directory '/usr/sbin/...' [ Not found ]
[06:30:46] Checking for directory '/usr/share/.gun' [ Not found ]
[06:30:46] Checking for directory '/unde/vrei/tu/sa/te/ascunzi/in/server' [ Not found ]
[06:30:46] Checking for directory '/usr/man/man1/.. /.dir' [ Not found ]
[06:30:46] Checking for directory '/usr/X11R6/include/X11/...' [ Not found ]
[06:30:46] Checking for directory '/usr/X11R6/lib/X11/.fonts/misc/...' [ Not found ]
[06:30:46] Checking for directory '/tmp/.sys' [ Not found ]
[06:30:46] Checking for directory '/tmp/'' [ Not found ]
[06:30:46] Checking for directory '/tmp/.,' [ Not found ]
[06:30:47] Checking for directory '/tmp/,.,' [ Not found ]
[06:30:47] Checking for directory '/dev/shm/emilien' [ Not found ]
[06:30:47] Checking for directory '/var/tmp/.log' [ Not found ]
[06:30:47] Checking for directory '/tmp/zmeu/... ' [ Not found ]
[06:30:47] Checking for directory '/var/log/ssh' [ Not found ]
[06:30:47] Checking for directory '/dev/ida' [ Not found ]
[06:30:47] Checking for directory '/lib/java' [ Not found ]
[06:30:47] Checking for directory '/var/lib/games/.src/ssk/shit' [ Not found ]
[06:30:47] Checking for directory '/usr/lib/libshtift' [ Not found ]
[06:30:47] Checking for directory '/usr/src/.poop' [ Not found ]
[06:30:47] Checking for directory '/dev/wd4' [ Not found ]
[06:30:47] Checking for directory '/var/run/.tmp' [ Not found ]
[06:30:47] Checking for directory '/usr/man/man1/lib/.lib' [ Not found ]
[06:30:47] Checking for directory '/dev/portd' [ Not found ]
[06:30:47] Checking for directory '/dev/...' [ Not found ]
[06:30:47] Checking for directory '/usr/share/man/mansps' [ Not found ]
[06:30:47] Checking for directory '/lib/.so' [ Not found ]
[06:30:47] Checking for directory '/lib/.sso' [ Not found ]
[06:30:47] Checking for possible rootkit files and directories [ None found ]
[06:30:47]
[06:30:47] Info: Starting test name 'possible_rkt_strings'
[06:30:47] Performing check for possible rootkit strings
[06:30:47] Info: Using system startup paths: /etc/rc.local /etc/init.d
[06:30:47] Checking for string 'phalanx' [ Not found ]
[06:30:47] Checking for string '/dev/proc/fuckit' [ Not found ]
[06:30:47] Checking for string 'FUCK' [ Not found ]
[06:30:47] Checking for string 'backdoor' [ Not found ]
[06:30:47] Checking for string '/usr/bin/rcpc' [ Not found ]
[06:30:48] Checking for string '/usr/sbin/login' [ Not found ]
[06:30:48] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[06:30:48] Checking for string 'vt200' [ Not found ]
[06:30:48] Checking for string '/usr/bin/xstat' [ Not found ]
[06:30:48] Checking for string '/bin/envpc' [ Not found ]
[06:30:48] Checking for string 'L4m3r0x' [ Not found ]
[06:30:48] Checking for string '/lib/libext' [ Not found ]
[06:30:48] Checking for string '/usr/sbin/login' [ Not found ]
[06:30:48] Checking for string '/usr/lib/.tbd' [ Not found ]
[06:30:48] Checking for string 'sendmail' [ Not found ]
[06:30:48] Checking for string 'cocacola' [ Not found ]
[06:30:48] Checking for string 'joao' [ Not found ]
[06:30:48] Checking for string '/dev/ptyxx/.file' [ Not found ]
[06:30:48] Checking for string '/dev/ptyxx/.file' [ Not found ]
[06:30:48] Checking for string '/dev/sgk' [ Not found ]
[06:30:48] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[06:30:48] Checking for string '/usr/lib/.tbd' [ Not found ]
[06:30:48] Checking for string '/dev/proc/fuckit' [ Not found ]
[06:30:48] Checking for string '/lib/.sso' [ Not found ]
[06:30:48] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[06:30:48] Checking for string '/dev/caca' [ Not found ]
[06:30:48] Checking for string '/dev/ttyoa' [ Not found ]
[06:30:48] Checking for string '/usr/lib/ldlibns.so' [ Not found ]
[06:30:49] Checking for string '/dev/ptyxx/.addr' [ Not found ]
[06:30:49] Checking for string 'syg' [ Not found ]
[06:30:49] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[06:30:49] Checking for string '/dev/pts/01' [ Not found ]
[06:30:49] Checking for string 'tw33dl3' [ Not found ]
[06:30:49] Checking for string 'psniff' [ Not found ]
[06:30:49] Checking for string 'uconf.inv' [ Not found ]
[06:30:49] Checking for string 'lib/ldlibps.so' [ Not found ]
[06:30:49] Checking for string '/usr/lib/ldlibpst.so' [ Not found ]
[06:30:49] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[06:30:49] Checking for string 'libproc.so.2.0.7' [ Not found ]
[06:30:49] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[06:30:49] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[06:30:49] Checking for string 'libproc.so.2.0.7' [ Not found ]
[06:30:49] Checking for string 'libproc.so.2.0.7' [ Not found ]
[06:30:49] Checking for string '/bin/bash' [ Not found ]
[06:30:49] Checking for string '/dev/ptyxx' [ Not found ]
[06:30:49] Checking for string '/.config' [ Not found ]
[06:30:49] Checking for string '\$.*\$\!.*\!\!\$' [ Not found ]
[06:30:50] Checking for string '/dev/xdta' [ Not found ]
[06:30:50] Checking for string '/usr/lib/.tbd' [ Not found ]
[06:30:50] Checking for string '/dev/ptyxx/.proc' [ Not found ]
[06:30:50] Checking for string 'in.inetd' [ Not found ]
[06:30:50] Checking for string '#' [ Not found ]
[06:30:50] Checking for string 'bin/xchk' [ Not found ]
[06:30:50] Checking for string 'bin/xsf' [ Not found ]
[06:30:50] Checking for string '/usr/bin/ssh2d' [ Not found ]
[06:30:51] Checking for string '/usr/sbin/xntps' [ Not found ]
[06:30:51] Checking for string 'ttyload' [ Not found ]
[06:30:51] Checking for string '/etc/rc.d/init.d/init' [ Not found ]
[06:30:51] Checking for string 'usr/bin/xfss' [ Not found ]
[06:30:51] Checking for string '/usr/sbin/rpc.netinet' [ Not found ]
[06:30:51] Checking for string '/usr/lib/.fx/cons.saver' [ Not found ]
[06:30:52] Checking for string '/usr/lib/.fx/xs' [ Not found ]
[06:30:52] Checking for string '/ssh2d' [ Not found ]
[06:30:52] Checking for string '/dev/kmod' [ Not found ]
[06:30:52] Checking for string '/crth.o' [ Not found ]
[06:30:52] Checking for string '/crtz.o' [ Not found ]
[06:30:52] Checking for string '/dev/dos' [ Not found ]
[06:30:52] Checking for string '/lpq' [ Not found ]
[06:30:53] Checking for string '/usr/sbin/rescue' [ Not found ]
[06:30:53] Checking for string '/usr/lib/lpstart' [ Not found ]
[06:30:53] Checking for string '/volc' [ Not found ]
[06:30:53] Checking for string 'sourcemask' [ Not found ]
[06:30:53] Checking for string '/bin/vobiscum' [ Not found ]
[06:30:53] Checking for string '/usr/sbin/in.telnet' [ Not found ]
[06:30:53] Checking for string 'hdparm' [ Not found ]
[06:30:54] Checking for string '/lib/ldd.so/tkps' [ Not found ]
[06:30:54] Checking for string 't0rnkit' [ Not found ]
[06:30:54] Checking for string '/dev/proc/fuckit' [ Not found ]
[06:30:54] Checking for string 'libproc.so.2.0.7' [ Not found ]
[06:30:54] Checking for string 'libproc.so.2.0.7' [ Not found ]
[06:30:54] Checking for string 'libproc.so.2.0.7' [ Not found ]
[06:30:54] Checking for string '/usr/lib/ldlibct.so' [ Not found ]
[06:30:54] Checking for string '/usr/lib/ldlibdu.so' [ Not found ]
[06:30:54] Checking for string '/dev/ptyxx/.file' [ Not found ]
[06:30:54] Checking for string 'libproc.so.2.0.7' [ Not found ]
[06:30:54] Checking for string '/dev/ida/.inet' [ Not found ]
[06:30:54] Checking for possible rootkit strings [ None found ]
[06:30:54]
[06:30:54] Info: Starting test name 'malware'
[06:30:54] Performing malware checks
[06:30:54]
[06:30:54] Info: Test 'deleted_files' disabled at users request.
[06:30:54]
[06:30:54] Info: Starting test name 'running_procs'
[06:30:55] Checking running processes for suspicious files [ None found ]
[06:30:55]
[06:30:55] Info: Test 'hidden_procs' disabled at users request.
[06:30:55]
[06:30:55] Info: Test 'suspscan' disabled at users request.
[06:30:55]
[06:30:55] Info: Starting test name 'other_malware'
[06:30:55] Performing check for login backdoors
[06:30:55] Checking for '/bin/.login' [ Not found ]
[06:30:55] Checking for '/sbin/.login' [ Not found ]
[06:30:55] Checking for login backdoors [ None found ]
[06:30:55]
[06:30:55] Performing check for suspicious directories
[06:30:55] Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[06:30:55] Checking for directory '/dev/rd/cdb' [ Not found ]
[06:30:55] Checking for suspicious directories [ None found ]
[06:30:55]
[06:30:55] Checking for software intrusions [ Skipped ]
[06:30:55] Info: Check skipped - tripwire not installed
[06:30:55]
[06:30:55] Performing check for sniffer log files
[06:30:55] Checking for file '/usr/lib/libice.log' [ Not found ]
[06:30:55] Checking for file '/dev/prom/sn.l' [ Not found ]
[06:30:55] Checking for file '/dev/fd/.88/zxsniff.log' [ Not found ]
[06:30:55] Checking for sniffer log files [ None found ]
[06:30:55]
[06:30:55] Info: Starting test name 'trojans'
[06:30:55] Performing trojan specific checks
[06:30:55] Checking for enabled inetd services [ Skipped ]
[06:30:55] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[06:30:55]
[06:30:55] Performing check for enabled xinetd services
[06:30:55] Checking for enabled xinetd services [ Skipped ]
[06:30:55] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[06:30:55] Checking for Apache backdoor [ Not found ]
[06:30:55]
[06:30:55] Info: Starting test name 'os_specific'
[06:30:55] Performing Linux specific checks
[06:30:55] Checking loaded kernel modules [ Warning ]
[06:30:55] Warning: The modules file '/proc/modules' is missing.
[06:30:55] Info: Using modules pathname of '/lib/modules'
[06:30:55] Checking kernel module names [ Skipped ]
[06:30:56] Warning: The kernel modules directory '/lib/modules' is missing or empty.
[06:31:10]
[06:31:10] Info: Starting test name 'network'
[06:31:10] Checking the network...
[06:31:10]
[06:31:10] Performing checks on the network ports
[06:31:10] Info: Starting test name 'ports'
[06:31:10] Performing check for backdoor ports
[06:31:10] Checking for TCP port 1524 [ Not found ]
[06:31:10] Checking for TCP port 1984 [ Not found ]
[06:31:10] Checking for UDP port 2001 [ Not found ]
[06:31:10] Checking for TCP port 2006 [ Not found ]
[06:31:11] Checking for TCP port 2128 [ Not found ]
[06:31:11] Checking for TCP port 6666 [ Not found ]
[06:31:11] Checking for TCP port 6667 [ Not found ]
[06:31:11] Checking for TCP port 6668 [ Not found ]
[06:31:11] Checking for TCP port 6669 [ Not found ]
[06:31:11] Checking for TCP port 7000 [ Not found ]
[06:31:11] Checking for TCP port 13000 [ Not found ]
[06:31:11] Checking for TCP port 14856 [ Not found ]
[06:31:11] Checking for TCP port 25000 [ Not found ]
[06:31:11] Checking for TCP port 29812 [ Not found ]
[06:31:11] Checking for TCP port 31337 [ Not found ]
[06:31:11] Checking for TCP port 32982 [ Not found ]
[06:31:11] Checking for TCP port 33369 [ Not found ]
[06:31:11] Checking for TCP port 47107 [ Not found ]
[06:31:11] Checking for TCP port 47018 [ Not found ]
[06:31:11] Checking for TCP port 60922 [ Not found ]
[06:31:11] Checking for TCP port 62883 [ Not found ]
[06:31:12] Checking for TCP port 65535 [ Not found ]
[06:31:12] Checking for backdoor ports [ None found ]
[06:31:12]
[06:31:12] Info: Starting test name 'hidden_ports'
[06:31:12] Checking for hidden ports [ Skipped ]
[06:31:12] Info: Unable to find the 'unhide-tcp' command
[06:31:12]
[06:31:12] Performing checks on the network interfaces
[06:31:12] Info: Starting test name 'promisc'
[06:31:12] Checking for promiscuous interfaces [ None found ]
[06:31:12]
[06:31:12] Info: Test 'packet_cap_apps' disabled at users request.
[06:31:12]
[06:31:12] Info: Starting test name 'local_host'
[06:31:12] Checking the local host...
[06:31:12]
[06:31:12] Info: Starting test name 'startup_files'
[06:31:12] Performing system boot checks
[06:31:12] Checking for local host name [ Found ]
[06:31:12]
[06:31:12] Info: Starting test name 'startup_malware'
[06:31:12] Checking for system startup files [ Found ]
[06:31:13] Checking system startup files for malware [ None found ]
[06:31:13]
[06:31:13] Info: Starting test name 'group_accounts'
[06:31:13] Performing group and account checks
[06:31:13] Checking for passwd file [ Found ]
[06:31:13] Info: Found password file: /etc/passwd
[06:31:13] Checking for root equivalent (UID 0) accounts [ None found ]
[06:31:13] Info: Found shadow file: /etc/shadow
[06:31:13] Checking for passwordless accounts [ None found ]
[06:31:13]
[06:31:13] Info: Starting test name 'passwd_changes'
[06:31:13] Checking for passwd file changes [ Warning ]
[06:31:13] Warning: User 'postfix' has been added to the passwd file.
[06:31:13]
[06:31:13] Info: Starting test name 'group_changes'
[06:31:13] Checking for group file changes [ Warning ]
[06:31:13] Warning: Group 'postfix' has been added to the group file.
[06:31:13] Warning: Group 'postdrop' has been added to the group file.
[06:31:13] Checking root account shell history files [ OK ]
[06:31:13]
[06:31:13] Info: Starting test name 'system_configs'
[06:31:13] Performing system configuration file checks
[06:31:13] Checking for SSH configuration file [ Found ]
[06:31:13] Info: Found SSH configuration file: /etc/ssh/sshd_config
[06:31:13] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[06:31:13] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[06:31:13] Checking if SSH root access is allowed [ Warning ]
[06:31:13] Warning: The SSH and rkhunter configuration options should be the same:
[06:31:13] SSH configuration option 'PermitRootLogin': yes
[06:31:13] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[06:31:13] Checking if SSH protocol v1 is allowed [ Not allowed ]
[06:31:13] Checking for running syslog daemon [ Found ]
[06:31:13] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[06:31:13] Checking for syslog configuration file [ Found ]
[06:31:14] Checking if syslog remote logging is allowed [ Not allowed ]
[06:31:14]
[06:31:14] Info: Starting test name 'filesystem'
[06:31:14] Performing filesystem checks
[06:31:14] Info: SCAN_MODE_DEV set to 'THOROUGH'
[06:31:14] Checking /dev for suspicious file types [ None found ]
[06:31:14] Checking for hidden files and directories [ Warning ]
[06:31:14] Warning: Hidden directory found: /etc/.java
[06:31:14] Warning: Hidden directory found: /dev/.udev
[06:40:16]
[06:40:16] Info: Test 'apps' disabled at users request.
[06:40:17]
[06:40:17] System checks summary
[06:40:17] =====================
[06:40:17]
[06:40:17] File properties checks...
[06:40:17] Files checked: 131
[06:40:17] Suspect files: 1
[06:40:17]
[06:40:17] Rootkit checks...
[06:40:17] Rootkits checked : 245
[06:40:17] Possible rootkits: 0
[06:40:17]
[06:40:17] Applications checks...
[06:40:17] All checks skipped
[06:40:17]
[06:40:17] The system checks took: 11 minutes and 0 seconds
[06:40:17]
[06:40:17] Info: End date is sáb sep 14 06:40:17 CEST 2013[/QUOTE]

Además me he dado cuenta de esto, entrando por VNC a mi server (no tiene exploit del vnc antiguo ni nada, e iyendo a / me he dado cuenta
que hay 3 capturas de pantalla de mi servidor a distintas horas 3 dias diferente y..

Una carpeta llamada run, /run y dentro de ella hay, muchisimos directorios en plan apache2, consolekit, cups, dbus, lock, sshd, screen y fleje de archivos .pid
console-kit-daemon.pid y otras que nunca habia visto la verdad.

Además si voy a /VAR he visto 2 accesos directos a las carpetas LOCK/RUN dentro de VAR.. Creadas entre ayer y hoy.

WTF ?