05-05-2011, 05:14 AM
|
|
Newbie
|
|
Join Date: May 2011
Posts: 9
|
|
I believe my server has been hacked. Advice needed!
My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:
Code:
tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.
|
05-05-2011, 05:49 AM
|
|
Web Hosting Master
|
|
Join Date: Feb 2004
Location: UK
Posts: 1,429
|
|
Firstly
I'd change your passwords,
Then secure it by limiting who can access the server by IP (so only your ip can access it)
then generate a Key using putty on your PC and make it so only you have that key to access the server.
Other than that I cant think what else to suggest from the information you have provided.
Thanks
__________________
Relichost Budget Hosting Cpanel-14 Days R1soft-Weekly Monthly Cpanel Backups (off site)
VPS Servers / Dedi's on request.
|
05-05-2011, 02:58 PM
|
|
WHT Addict
|
|
Join Date: Dec 2010
Location: Orange County, CA USA
Posts: 115
|
|
Quote:
Originally Posted by abtme
then generate a Key using putty on your PC and make it so only you have that key to access the server.
|
So this only for using putty to access the server or the key generated from putty can be used by ssh?
Thanks! Jxff
|
05-05-2011, 03:05 PM
|
|
Russ
|
|
Join Date: Mar 2002
Location: Philadelphia, PA
Posts: 2,493
|
|
Disable SSH for non-root users, create an SSH account that you use to su - or sudo.
Take advantage of hosts.deny/hosts.allow to restrict SSH access to particular hosts and deny all others.
Enable additional SSH restrictions, timeouts, maximum attempts before disconnecting etc.
|
05-05-2011, 03:08 PM
|
|
MACBOOKS EVERYWHEREEEEEEEEEEEE
|
|
Join Date: Mar 2009
Posts: 3,804
|
|
They potentially already have ssh access on an old version of centos that may or may not have local root exploits and you're not planning on a OS reload?
__________________
mirACL: firewalls in software.
|
05-05-2011, 03:09 PM
|
|
WHT Addict
|
|
Join Date: May 2009
Location: /dev/null
Posts: 171
|
|
Quote:
Originally Posted by hanime
My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:
Code:
tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance. |
The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you 
__________________
█ NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
█ nixapi.com
|
05-05-2011, 03:10 PM
|
|
MACBOOKS EVERYWHEREEEEEEEEEEEE
|
|
Join Date: Mar 2009
Posts: 3,804
|
|
Quote:
Originally Posted by GameFrame
The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you |
my guess would be 173-26-20something.client.mchsi.com
__________________
mirACL: firewalls in software.
|
05-05-2011, 03:17 PM
|
|
WHT Addict
|
|
Join Date: May 2009
Location: /dev/null
Posts: 171
|
|
Quote:
Originally Posted by quantumphysics
my guess would be 173-26-20something.client.mchsi.com
|
Need full, otherwise it's a guessing game.
__________________
█ NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
█ nixapi.com
|
05-05-2011, 05:38 PM
|
|
Newbie
|
|
Join Date: May 2011
Posts: 9
|
|
Thank you everyone for your suggestions. The first thing I did was changed my root password, disabled FTP, and SSHD. I will try to create users and su to root, and some of the suggestions. I already have a new server up ready to migrate everything over.
Attached is an updated netstat log.
Last edited by hanime; 05-05-2011 at 05:42 PM.
|
05-05-2011, 05:49 PM
|
|
MANAGEMENT KING!
|
|
Join Date: Nov 2009
Posts: 8,109
|
|
Quote:
Originally Posted by hanime
My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:
Code:
tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance. |
I think its time you got steven from rack911 on the job 
__________________
█ LeapHost.Net Litespeed Shared/Reseller Hosting & Proactive Server Management.
█ Quality cPanel | DirectAdmin | Webmin | SolusVM | Fast Helpdesk Management.
█ Server Setups | Stable Migrations | Security/Hardening | cPanel DNS Cluster Setups.
█ 24/7 Ticket Support | 15 Minute Average Response Times | Visit Our Special Offers - 
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
