How to clean up the prevedvsvem exploit:


First, secure ssh some more:

- Login to your server as root
- vi /etc/ssh/sshd_config
- Add: Port XXXX, where XXXX = a random number above 2k or so.
- Make sure "Protocol 2" is uncommented
- Make sure "LoginGraceTime 2m" is uncommented
- Make sure "RhostsRSAAuthentication no" is uncommented
- Make sure "HostbasedAuthentication no" is uncommented
- Add: IgnoreUserKnownHosts yes
- Add/change: IgnoreRhosts yes
- Add/change: PermitEmptyPasswords no
- Add/change: X11Forwarding no
- Comment out: Subsystem     sftp    /usr/libexec/openssh/sftp-server

- A sample sshd_config can be found here: http://www.delphster.net/scripts/sshd_config.example

- Save the sshd_config file
- service sshd restart


Next, create a new user:

- Skip the next 2 steps if you have cPanel and a working non-root login
- If you do not have a cPanel server, then create a username of your choice: useradd USERHERE
- Once created, passwd USERHERE

Next, remove the backdoor script

- cd /sbin
- chattr -u -i -a shs
- rm shs

Next, close the fuscript port:

- cd /etc
- vi services
- Find the 2 lines that start fuscript.  Comment them out.  They should look like:
#fuscript       1144/tcp                        # Fusion Script
#fuscript       1144/udp                        # Fusion Script

Next, clear up logging:

- rm /var/log/messagess 

Next, get the cleanup script:

- cd ~
- wget http://www.delphster.net/scripts/cleanup_preved.tar
- tar xf cleanup_preved.tar
- php cleanup.php > cleanup.log

Next, remove extraneous services (optional):

- cd /etc/init.d
- rm cups
- rm gpm

If on cPanel, make sure to secure /tmp:

- /scripts/securetmp

Next, reboot your server:

- reboot

Finally, when the server is back up, login as your normal user account and check the log file for any binary files (these will either need cleaning manually or reloading from backups etc)


Good luck!

Delphy