Hacker logged in via SSH - Need security audit or similar.
Hi we have a small company with some freebsd boxed running apache 1.3.
Lately we have been targeted by many crackers/script kiddies and proff people. And we have removed several .php files from our servers that were deployed by them and they contained scripts for searching and maybe dumping our mysql db. Last time when we files like these we searched the logs and saw a russian IP who was loggin in with my account name via SSH! So now my host has turned off all access to the server and we're trying to figure out what is going on, the SSH password was very strong so the theory is that the evil person got it from my local PC or something like that. But I have scanned my PC for spyware and i think it's unlikely they got it that way because if they did they would have ALL passwords and we have only seen this IP on 1 of the boxes.
How do we proceed from here? I do not expect my host to really be able to fix this and i would like someone to try and see if they can find the weak points.
But if we hired a security company, would we be able to trust them??
And Can you tell me if there's any way that it's possible to gather the SSh passwords from a server like mine with bad security or can we conclude that they got it from my email account or something like that - I hope not!
the SSH password was as strong as this: "5W)rjKQ;V$hxEvz,A?" but it was also used for FTP access and I think it was also used for checking the mail account on the server, via outlook.
if not using the same pass for FTP mail and SSH, then what should we do? This is the setup our host has defined from the beginning. Is there a secure alternative to FTP? And when we check mail via outlook, should we just assume that someone is reading it while we're downloading it because it's possible?
I second ConorP 's suggestion. Contact rack911.com. They can help secure your server and also assist you with correcting the passwords. I have used them in the past when a server was compromised and they did a great job.
some old versions of sshd have root exploits that mean you can obtain root without loggin in. once a machine is rooted you can install a rootkit which is undetectable so hackers can login without needin the root password. You should probabbly get expert help. The machine will need to be reformated (after taking backups of your data) in any case as you cant trust it...