Results 1 to 10 of 10
  1. #1

    I believe my server has been hacked. Advice needed!

    My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

    Code:
    tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
    It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.

  2. #2
    Join Date
    Feb 2004
    Location
    UK
    Posts
    1,431
    Firstly

    I'd change your passwords,

    Then secure it by limiting who can access the server by IP (so only your ip can access it)

    then generate a Key using putty on your PC and make it so only you have that key to access the server.

    Other than that I cant think what else to suggest from the information you have provided.

    Thanks

  3. #3
    Join Date
    Dec 2010
    Location
    Orange County, CA USA
    Posts
    136
    Quote Originally Posted by abtme View Post
    then generate a Key using putty on your PC and make it so only you have that key to access the server.
    So this only for using putty to access the server or the key generated from putty can be used by ssh?

    Thanks! Jxff

  4. #4
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,517
    Disable SSH for non-root users, create an SSH account that you use to su - or sudo.

    Take advantage of hosts.deny/hosts.allow to restrict SSH access to particular hosts and deny all others.

    Enable additional SSH restrictions, timeouts, maximum attempts before disconnecting etc.

  5. #5
    Join Date
    Mar 2009
    Posts
    3,816
    They potentially already have ssh access on an old version of centos that may or may not have local root exploits and you're not planning on a OS reload?

  6. #6
    Join Date
    May 2009
    Location
    /dev/null
    Posts
    171
    Quote Originally Posted by hanime View Post
    My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

    Code:
    tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
    It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.
    The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
    nixapi.com

  7. #7
    Join Date
    Mar 2009
    Posts
    3,816
    Quote Originally Posted by GameFrame View Post
    The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you
    my guess would be 173-26-20something.client.mchsi.com

  8. #8
    Join Date
    May 2009
    Location
    /dev/null
    Posts
    171
    Quote Originally Posted by quantumphysics View Post
    my guess would be 173-26-20something.client.mchsi.com
    Need full, otherwise it's a guessing game.
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
    nixapi.com

  9. #9
    Thank you everyone for your suggestions. The first thing I did was changed my root password, disabled FTP, and SSHD. I will try to create users and su to root, and some of the suggestions. I already have a new server up ready to migrate everything over.

    Attached is an updated netstat log.
    Attached Files Attached Files
    Last edited by hanime; 05-05-2011 at 05:42 PM.

  10. #10
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by hanime View Post
    My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

    Code:
    tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
    It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.
    I think its time you got steven from rack911 on the job
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

Similar Threads

  1. Server hacked--needed help
    By lotsoflove in forum Systems Management Requests
    Replies: 16
    Last Post: 08-16-2008, 01:25 AM
  2. Just got hacked...NEED advice!
    By sir_han in forum Hosting Security and Technology
    Replies: 18
    Last Post: 06-20-2007, 10:14 AM
  3. server hacked ... advise needed
    By XMLxp in forum Hosting Security and Technology
    Replies: 16
    Last Post: 10-31-2005, 07:02 PM
  4. Investigating a Hacked Server: Advice Requested
    By Dan Grossman in forum Dedicated Server
    Replies: 22
    Last Post: 07-23-2005, 11:44 AM
  5. Server hacked - seeking advice
    By nogi in forum Hosting Security and Technology
    Replies: 31
    Last Post: 12-29-2003, 03:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •