Results 1 to 23 of 23
  1. #1
    Join Date
    Jan 2006
    Location
    Toronto, Canada
    Posts
    269

    server has been hacked

    my server, os:centOS.
    Someone had ssh access the server. And they clear all the log. so I don't know what they has done to the server.
    no idea how they did it. the password is pretty complicated.

    Anyway, what should i do to make sure the server is still health.

  2. #2
    Join Date
    Oct 2008
    Posts
    2,249
    Wait so what have you noticed happen? If its just logs are you sure somthing else did not eraase them?
    Leader of the new anti sig spamming club.

  3. #3
    Join Date
    Jan 2006
    Location
    Toronto, Canada
    Posts
    269
    when I log in to my server, it said "Last login: Fri Jul 24 08:20:48 2009 from ..."
    and I checked the IP, it is from Algeria?
    Then I realize the server has been hacked, then I check the logs, it's all been erased.

  4. #4
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    If you're certain the box has been compromised, reload it. Unless you had something like Tripwire running already, you're unlikely to ever know what the person has done.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  5. #5
    Join Date
    Dec 2002
    Posts
    53
    Unfortunately, you will need to wipe the hard drive and do a fresh OS install.

    Hackers these days are clever enough to leave behind backdoors on reloaded OS and a full wipe is necessary to start fresh.

    If you had SSH with a strong password, then their had to be another way for the hacker to break in and unless you patch that hole, they could do it again.

    Did you have a firewall like CSF or APF installed?

  6. #6
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,552
    Maybe your computer is infected?

  7. #7
    Join Date
    Jun 2009
    Posts
    66
    Immediate changing of ssh pass.STRONG PASS incuding symbols which cant be "Brute forced".Also install of mod security.If you need help, sent me a pm
    Freelancer Linux System Administrator
    www.hirekostas.com

  8. #8
    can you post the address or ip of you server so it could be nmaped to see if you have any rootkits running? also run chkrootkit, rkhunter and unhide and post the output of them ... the system can be cleaned without full wipe, it would be for the best to clean the system and harden it, if you re-install it in the same way it will be hacked in the same way...

  9. #9
    Join Date
    May 2009
    Location
    Utopia.
    Posts
    222
    Quote Originally Posted by Jacob Wall View Post
    Maybe your computer is infected?
    That might be a possibility.

    Check if there are any suspicious activities running.


  10. #10
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    Did they log in as root? Then it's a OS re-install I am afraid, anything less doesn't guarantee anything.

  11. #11
    Join Date
    Mar 2009
    Posts
    245
    I would simply put only your ip on host allow,so even if they have root password they wont be able to access.Same for other important services like ftp,control panel,mysql,etc.

  12. #12
    Join Date
    Jan 2006
    Location
    Toronto, Canada
    Posts
    269
    After OS reload, and change the password to VERY strong.
    Still got hacked again. Same hacker.
    when I checked /var/log/secure
    sshd[29283]: Accepted password for root from 11.97.92.10* port 2303 ssh2
    Last edited by heropage; 09-10-2009 at 04:54 PM.

  13. #13
    Join Date
    Apr 2002
    Posts
    930
    Who knew of the new password?

    Are any of those people (including yourself) using an SSH client to access the server?

    Are you storing the password in that SSH program?

    Are you (or anyone that has the password) storing the password anywhere on their computer?

    I am thinking that you or someone who has the password has a virus/trojan/keylogger installed and running on their computer that is stealing the password information and sending it to someone else.

  14. #14
    Join Date
    Jan 2006
    Location
    Toronto, Canada
    Posts
    269
    Quote Originally Posted by SPaReK View Post
    Who knew of the new password?

    Are any of those people (including yourself) using an SSH client to access the server?

    Are you storing the password in that SSH program?

    Are you (or anyone that has the password) storing the password anywhere on their computer?

    I am thinking that you or someone who has the password has a virus/trojan/keylogger installed and running on their computer that is stealing the password information and sending it to someone else.
    I am using putty to access to the server. My hosting company also has the password.

    Now I use host allow to restrict access. I think it's the best way.

  15. #15
    Join Date
    Feb 2004
    Location
    USA
    Posts
    1,571
    ^ I would supect the same, did you scan your pc already? seems like he's sniffing the password from your pc.

  16. #16
    Have you considered getting server management ?

    As security is an ongoing process.
    Data Republic - UK Managed Servers - Server Management - Managed Backup/R1Soft
    Follow us on Twitter to get exclusive sales & updates.
    R1Soft Agents Monthly !

  17. #17
    Join Date
    Apr 2002
    Posts
    930
    Your datacenter could be a point of password exploit, but I would think that if that is the case, then all of their servers would be being exploited, since its safe to assume that if one password is compromised at the datacenter then all of their passwords would be compromised.

    I always recommend that you change the root password of any server so that it is not the same as what the datacenter has. Unless there is a specific reason for the datacenter to need the password for your server.

    To my knowledge Putty does not provide any means of storing a password. But if the root password is still the same as the original root password that was likely e-mailed to you, then the virus/trojan/keylogger could be scanning your e-mail for this information.

    If you have a virus/trojan/keylogger installed on your computer, then you need to deal with this because this means your computer is vulnerable. I'm assuming you are running a Windows OS. I'm not sure what the best tools are for dealing with this threat on Windows are. Perhaps someone else can make suggestions for this.

  18. #18
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,930
    Why do people use passwords for SSH? They are so insecure.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  19. #19
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,588
    Be sure your kernel is upgraded to the latest one and check if some users have SSH access so they can exploit you. You better disable the direct root login via SSH but use command su to gain root access.

  20. #20
    Switch to publickey auth instead of Your current method.

  21. #21
    Join Date
    Feb 2004
    Location
    USA
    Posts
    1,571
    Quote Originally Posted by WebHostDog View Post
    Be sure your kernel is upgraded to the latest one and check if some users have SSH access so they can exploit you. You better disable the direct root login via SSH but use command su to gain root access.
    I also recommend updating to lastest kernel and disable direct root access and use - su instead or configure an firewall to try and prevent attacks.

  22. #22
    Join Date
    Jun 2008
    Posts
    204
    Quote Originally Posted by ActiveForce View Post
    I also recommend updating to lastest kernel and disable direct root access and use - su instead or configure an firewall to try and prevent attacks.
    Yes, he's right. Go through the whole new server security checklist that has been posted in many places on the net. Never have direct root access.

    And people have been asking you to check your personal computer for viruses because that's been a source of problems lately where they get the password when you store or enter it from there.

    If you are going to manage a server, I recommend to start running Linux at home, probably Ubuntu is best and easy to get going. Why chance it with a OS that's known for being compromised easily? What's your time worth?

    You didn't mention how many other people access your system, it's possible that this guy comes in from some other account that hasn't changed it's password yet and that somehow gives him access (too many ways to list here).

    And having SSH keys stored instead of using passwords doesn't help when your home computer has a virus, it's actually worse because it's right there on your HD instead of in your head.

  23. #23
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    I am willing to bet, that you have an outdated kernel that allowed a root escalation to happen. I have seen several servers this week that were exploited by the recent kernel exploit and ssh users added with root privileges.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. Server hacked : how can I find out how they are uploading files to my server?
    By listenmirndt in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-14-2007, 12:44 PM
  2. Replies: 77
    Last Post: 04-03-2007, 09:57 AM
  3. Replies: 6
    Last Post: 08-24-2006, 04:11 PM
  4. Plesk server hacked, hiring to move clients to new server
    By DaveNET in forum Employment / Job Offers
    Replies: 3
    Last Post: 07-30-2005, 09:56 PM
  5. Replies: 5
    Last Post: 08-05-2001, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •