Results 1 to 11 of 11
  1. #1

    Hacker logged in via SSH - Need security audit or similar.

    Hi we have a small company with some freebsd boxed running apache 1.3.

    Lately we have been targeted by many crackers/script kiddies and proff people. And we have removed several .php files from our servers that were deployed by them and they contained scripts for searching and maybe dumping our mysql db. Last time when we files like these we searched the logs and saw a russian IP who was loggin in with my account name via SSH! So now my host has turned off all access to the server and we're trying to figure out what is going on, the SSH password was very strong so the theory is that the evil person got it from my local PC or something like that. But I have scanned my PC for spyware and i think it's unlikely they got it that way because if they did they would have ALL passwords and we have only seen this IP on 1 of the boxes.

    How do we proceed from here? I do not expect my host to really be able to fix this and i would like someone to try and see if they can find the weak points.
    But if we hired a security company, would we be able to trust them??

    And Can you tell me if there's any way that it's possible to gather the SSh passwords from a server like mine with bad security or can we conclude that they got it from my email account or something like that - I hope not!

    thank you.

    the SSH password was as strong as this: "5W)rjKQ;V$hxEvz,A?" but it was also used for FTP access and I think it was also used for checking the mail account on the server, via outlook.
    Last edited by user_nick; 11-14-2006 at 06:35 AM.

  2. #2
    Can anyone help me please?

  3. #3
    Quote Originally Posted by user_nick
    the SSH password was as strong as this: "5W)rjKQ;V$hxEvz,A?" but it was also used for FTP access and I think it was also used for checking the mail account on the server, via outlook.
    Bad idea right there. FTP and Mail access is ususally not encrypted over the wire so someone could sniff it off the network.

    Although I've never had to deal with them http://www.rack911.com/ seem to get good reviews around here. You might want to try them.

  4. #4
    thank you for the feedback.

    if not using the same pass for FTP mail and SSH, then what should we do? This is the setup our host has defined from the beginning. Is there a secure alternative to FTP? And when we check mail via outlook, should we just assume that someone is reading it while we're downloading it because it's possible?

    thank you.

  5. #5
    Join Date
    May 2003
    Location
    Florida
    Posts
    877
    I second ConorP 's suggestion. Contact rack911.com. They can help secure your server and also assist you with correcting the passwords. I have used them in the past when a server was compromised and they did a great job.

  6. #6
    Join Date
    Jun 2004
    Posts
    37
    restrict shell access to your chosen IPs, and use SFTP for file transfer. You won't have these problems if implemented.

  7. #7
    Join Date
    Nov 2006
    Location
    USA
    Posts
    762
    Quote Originally Posted by beet
    restrict shell access to your chosen IPs, and use SFTP for file transfer. You won't have these problems if implemented.
    You may also want to check for RSA keys for ssh.

  8. #8
    Thank you everyone for the tips! PersonalJihad can you explain the above in more detail?

  9. #9
    Join Date
    Aug 2004
    Location
    AU
    Posts
    690
    Did you disable direct root login? Without that, its likely to guess password only.

  10. #10
    Join Date
    Oct 2006
    Location
    uk
    Posts
    448
    some old versions of sshd have root exploits that mean you can obtain root without loggin in. once a machine is rooted you can install a rootkit which is undetectable so hackers can login without needin the root password. You should probabbly get expert help. The machine will need to be reformated (after taking backups of your data) in any case as you cant trust it...

  11. #11
    Join Date
    Oct 2004
    Posts
    294
    Do you have any tips how to check if we are running old version of sshd? We are on cpanel server, running CentOS 4.4.

    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •