hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : I believe my server has been hacked. Advice needed!
Reply

Forum Jump

I believe my server has been hacked. Advice needed!

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 05-05-2011, 05:14 AM
hanime hanime is offline
Newbie
 
Join Date: May 2011
Posts: 9

I believe my server has been hacked. Advice needed!


My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

Code:
tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.

Reply With Quote


Sponsored Links
  #2  
Old 05-05-2011, 05:49 AM
relichost relichost is offline
Temporarily Suspended
 
Join Date: Feb 2004
Location: UK
Posts: 1,429
Firstly

I'd change your passwords,

Then secure it by limiting who can access the server by IP (so only your ip can access it)

then generate a Key using putty on your PC and make it so only you have that key to access the server.

Other than that I cant think what else to suggest from the information you have provided.

Thanks

Reply With Quote
  #3  
Old 05-05-2011, 02:58 PM
ezyvps ezyvps is offline
WHT Addict
 
Join Date: Dec 2010
Location: Orange County, CA USA
Posts: 128
Quote:
Originally Posted by abtme View Post
then generate a Key using putty on your PC and make it so only you have that key to access the server.
So this only for using putty to access the server or the key generated from putty can be used by ssh?

Thanks! Jxff

Reply With Quote
Sponsored Links
  #4  
Old 05-05-2011, 03:05 PM
viGeek viGeek is offline
Russ
 
Join Date: Mar 2002
Location: Philadelphia, PA
Posts: 2,508
Disable SSH for non-root users, create an SSH account that you use to su - or sudo.

Take advantage of hosts.deny/hosts.allow to restrict SSH access to particular hosts and deny all others.

Enable additional SSH restrictions, timeouts, maximum attempts before disconnecting etc.

__________________
Linux junkie | steward.io

Reply With Quote
  #5  
Old 05-05-2011, 03:08 PM
quantumphysics quantumphysics is offline
MACBOOKS EVERYWHEREEEEEEEEEEEE
 
Join Date: Mar 2009
Posts: 3,803
They potentially already have ssh access on an old version of centos that may or may not have local root exploits and you're not planning on a OS reload?

__________________
mirACL: firewalls in software.

Reply With Quote
  #6  
Old 05-05-2011, 03:09 PM
GameFrame GameFrame is offline
WHT Addict
 
Join Date: May 2009
Location: /dev/null
Posts: 171
Quote:
Originally Posted by hanime View Post
My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

Code:
tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.
The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you

__________________
NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
nixapi.com

Reply With Quote
  #7  
Old 05-05-2011, 03:10 PM
quantumphysics quantumphysics is offline
MACBOOKS EVERYWHEREEEEEEEEEEEE
 
Join Date: Mar 2009
Posts: 3,803
Quote:
Originally Posted by GameFrame View Post
The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you
my guess would be 173-26-20something.client.mchsi.com

__________________
mirACL: firewalls in software.

Reply With Quote
  #8  
Old 05-05-2011, 03:17 PM
GameFrame GameFrame is offline
WHT Addict
 
Join Date: May 2009
Location: /dev/null
Posts: 171
Quote:
Originally Posted by quantumphysics View Post
my guess would be 173-26-20something.client.mchsi.com
Need full, otherwise it's a guessing game.

__________________
NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
nixapi.com

Reply With Quote
  #9  
Old 05-05-2011, 05:38 PM
hanime hanime is offline
Newbie
 
Join Date: May 2011
Posts: 9
Thank you everyone for your suggestions. The first thing I did was changed my root password, disabled FTP, and SSHD. I will try to create users and su to root, and some of the suggestions. I already have a new server up ready to migrate everything over.

Attached is an updated netstat log.
Attached Files
File Type: txt log.txt (14.1 KB, 76 views)


Last edited by hanime; 05-05-2011 at 05:42 PM.
Reply With Quote
  #10  
Old 05-05-2011, 05:49 PM
cd/home cd/home is offline
Web Hosting Master
 
Join Date: Nov 2009
Location: /etc/my.cnf
Posts: 9,238
Quote:
Originally Posted by hanime View Post
My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

Code:
tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.
I think its time you got steven from rack911 on the job

__________________
LeapHost Solid High Performance Litespeed + Varnish + RAMDisk + MariaDB Hosting.
Managed Colocation | Uptime Monitoring | Backups | Proactive Server Management.
Server Setups | Stable Migrations | Security/Hardening | cPanel DNS Cluster Setups.
24/7 Ticket + Phone + Live Chat Support | Fancy An Offer > | Visit Our Special Offers


Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Server hacked--needed help lotsoflove Systems Management Requests 16 08-16-2008 01:25 AM
Just got hacked...NEED advice! sir_han Hosting Security and Technology 18 06-20-2007 10:14 AM
server hacked ... advise needed xmlxp Hosting Security and Technology 16 10-31-2005 07:02 PM
Investigating a Hacked Server: Advice Requested Dan Grossman Dedicated Server 22 07-23-2005 11:44 AM
Server hacked - seeking advice nogi Hosting Security and Technology 31 12-29-2003 03:19 AM

Related posts from TheWhir.com
Title Type Date Posted
Hackers Steal User Login Information from AVAST Anti-Virus Forum Web Hosting News 2014-05-27 13:46:25
Nominet Pilot Program Hopes to Help SMBs Combat Cyber Threats with Support, Advice Web Hosting News 2014-02-07 15:12:39
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10
Apache Malware Darkleech Spreads Rapidly with Increase in Attacks Web Hosting News 2013-07-03 12:11:03


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?