Results 1 to 10 of 10
  1. #1

    I believe my server has been hacked. Advice needed!

    My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

    Code:
    tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
    It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.

  2. #2
    Join Date
    Feb 2004
    Location
    UK
    Posts
    1,429
    Firstly

    I'd change your passwords,

    Then secure it by limiting who can access the server by IP (so only your ip can access it)

    then generate a Key using putty on your PC and make it so only you have that key to access the server.

    Other than that I cant think what else to suggest from the information you have provided.

    Thanks

  3. #3
    Join Date
    Dec 2010
    Location
    Orange County, CA USA
    Posts
    127
    Quote Originally Posted by abtme View Post
    then generate a Key using putty on your PC and make it so only you have that key to access the server.
    So this only for using putty to access the server or the key generated from putty can be used by ssh?

    Thanks! Jxff

  4. #4
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,508
    Disable SSH for non-root users, create an SSH account that you use to su - or sudo.

    Take advantage of hosts.deny/hosts.allow to restrict SSH access to particular hosts and deny all others.

    Enable additional SSH restrictions, timeouts, maximum attempts before disconnecting etc.
    Linux junkie | steward.io

  5. #5
    Join Date
    Mar 2009
    Posts
    3,803
    They potentially already have ssh access on an old version of centos that may or may not have local root exploits and you're not planning on a OS reload?
    mirACL: firewalls in software.

  6. #6
    Join Date
    May 2009
    Location
    /dev/null
    Posts
    171
    Quote Originally Posted by hanime View Post
    My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

    Code:
    tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
    It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.
    The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
    nixapi.com

  7. #7
    Join Date
    Mar 2009
    Posts
    3,803
    Quote Originally Posted by GameFrame View Post
    The rDNS entry is partial, just due to my curiosity, could you get full rdns entry for that IP. I can then check something for you
    my guess would be 173-26-20something.client.mchsi.com
    mirACL: firewalls in software.

  8. #8
    Join Date
    May 2009
    Location
    /dev/null
    Posts
    171
    Quote Originally Posted by quantumphysics View Post
    my guess would be 173-26-20something.client.mchsi.com
    Need full, otherwise it's a guessing game.
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
    nixapi.com

  9. #9
    Thank you everyone for your suggestions. The first thing I did was changed my root password, disabled FTP, and SSHD. I will try to create users and su to root, and some of the suggestions. I already have a new server up ready to migrate everything over.

    Attached is an updated netstat log.
    Attached Files Attached Files
    Last edited by hanime; 05-05-2011 at 05:42 PM.

  10. #10
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    9,760
    Quote Originally Posted by hanime View Post
    My CentOS 4.3 (yes it's old) dedicated server seems to always halt and become inaccessible at around 10PM-Midnight everyday. I checked my netstat and found the following:

    Code:
    tcp 0 560 ns2.1337gamer.net:ssh 173-26-2030.client.m:55189 ESTABLISHED
    It seems they have SSH access? What can I do to trace this hacker or stop them? Thank you in advance.
    I think its time you got steven from rack911 on the job
    LeapHost High Performance Fully Managed App Solutions Powered By NitroStackô
    Fast Dedicated Servers | 15+ Global Locations | Server Management Specialists
    Fly Faster With The Speed of Light! | Be A Talkative Soul > Visit Our LH Forums

  11. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. Server hacked--needed help
    By lotsoflove in forum Systems Management Requests
    Replies: 16
    Last Post: 08-16-2008, 01:25 AM
  2. Just got hacked...NEED advice!
    By sir_han in forum Hosting Security and Technology
    Replies: 18
    Last Post: 06-20-2007, 10:14 AM
  3. server hacked ... advise needed
    By xmlxp in forum Hosting Security and Technology
    Replies: 16
    Last Post: 10-31-2005, 07:02 PM
  4. Investigating a Hacked Server: Advice Requested
    By Dan Grossman in forum Dedicated Server
    Replies: 22
    Last Post: 07-23-2005, 11:44 AM
  5. Server hacked - seeking advice
    By nogi in forum Hosting Security and Technology
    Replies: 31
    Last Post: 12-29-2003, 03:19 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •