Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hacker logged in via SSH - Need security audit or similar.

[user_nick]

Hi we have a small company with some freebsd boxed running apache 1.3.

Lately we have been targeted by many crackers/script kiddies and proff people. And we have removed several .php files from our servers that were deployed by them and they contained scripts for searching and maybe dumping our mysql db. Last time when we files like these we searched the logs and saw a russian IP who was loggin in with my account name via SSH! So now my host has turned off all access to the server and we're trying to figure out what is going on, the SSH password was very strong so the theory is that the evil person got it from my local PC or something like that. But I have scanned my PC for spyware and i think it's unlikely they got it that way because if they did they would have ALL passwords and we have only seen this IP on 1 of the boxes.

How do we proceed from here? I do not expect my host to really be able to fix this and i would like someone to try and see if they can find the weak points.
But if we hired a security company, would we be able to trust them??

And Can you tell me if there's any way that it's possible to gather the SSh passwords from a server like mine with bad security or can we conclude that they got it from my email account or something like that - I hope not!

thank you.

the SSH password was as strong as this: "5W)rjKQ;V$hxEvz,A?" but it was also used for FTP access and I think it was also used for checking the mail account on the server, via outlook.

[user_nick]

Can anyone help me please?

[ConorP]

Quote:

Originally Posted by user_nick

the SSH password was as strong as this: "5W)rjKQ;V$hxEvz,A?" but it was also used for FTP access and I think it was also used for checking the mail account on the server, via outlook.

Bad idea right there. FTP and Mail access is ususally not encrypted over the wire so someone could sniff it off the network.

Although I've never had to deal with them http://www.rack911.com/ seem to get good reviews around here. You might want to try them.

[user_nick]

thank you for the feedback.

if not using the same pass for FTP mail and SSH, then what should we do? This is the setup our host has defined from the beginning. Is there a secure alternative to FTP? And when we check mail via outlook, should we just assume that someone is reading it while we're downloading it because it's possible?

thank you.

[Dacsoft]

I second ConorP 's suggestion. Contact rack911.com. They can help secure your server and also assist you with correcting the passwords. I have used them in the past when a server was compromised and they did a great job.

[beet]

restrict shell access to your chosen IPs, and use SFTP for file transfer. You won't have these problems if implemented.

[PersonalJ]

Quote:

Originally Posted by beet

restrict shell access to your chosen IPs, and use SFTP for file transfer. You won't have these problems if implemented.

You may also want to check for RSA keys for ssh.

[user_nick]

Thank you everyone for the tips! PersonalJihad can you explain the above in more detail?

[TRIBOLIS]

Did you disable direct root login? Without that, its likely to guess password only.

[doc_flabby]

some old versions of sshd have root exploits that mean you can obtain root without loggin in. once a machine is rooted you can install a rootkit which is undetectable so hackers can login without needin the root password. You should probabbly get expert help. The machine will need to be reformated (after taking backups of your data) in any case as you cant trust it...

[bloodyman]

Do you have any tips how to check if we are running old version of sshd? We are on cpanel server, running CentOS 4.4.

Thanks