Results 1 to 23 of 23

Thread: Server Hacked

  1. #1
    Join Date
    Apr 2009
    Location
    Louisville, Kentucky
    Posts
    47

    Server Hacked

    My server was hacked night before last and here is the log

    Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
    Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
    Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
    Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.static.xlhost.com, authenticated.

    Just a head up everyone.
    Woof Hosting - Shared Hosting
    Friendly Staff | 256-Bit SSL Encryption!

  2. #2
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    He visits, logs right in; how is that a hack? Looks more like he knew the password from here, unless there's a lot more to that log?
    Having problems, or maybe questions about WHT? Head over to the help desk!

  3. #3
    Bear has a point, it really does seem like he almost knew the password without even "trying"

  4. #4
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    You have SSH running on port 22 and allowing root logins directly. Both are big no-no's. At least run SSH on a non-standard port and require a sudo of something else to get to root.
    Cpanel/WHM PHP Perl Ruby Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  5. #5
    Join Date
    Apr 2009
    Location
    Louisville, Kentucky
    Posts
    47
    Quote Originally Posted by bear View Post
    He visits, logs right in; how is that a hack? Looks more like he knew the password from here, unless there's a lot more to that log?
    Thats not the whole log. They changed the password.

    Quote Originally Posted by larwilliams View Post
    You have SSH running on port 22 and allowing root logins directly. Both are big no-no's. At least run SSH on a non-standard port and require a sudo of something else to get to root.
    Password and port has been changed.
    Woof Hosting - Shared Hosting
    Friendly Staff | 256-Bit SSL Encryption!

  6. #6
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    Quote Originally Posted by WoofHosting View Post
    Thats not the whole log. They changed the password.


    Password and port has been changed.
    Too late now. 99% chance there is a rootkit or backdoor running on the server, so your screwed.

    Time for an OS reload I would say.
    Last edited by larwilliams; 10-29-2009 at 08:35 AM.
    Cpanel/WHM PHP Perl Ruby Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  7. #7
    Join Date
    Aug 2009
    Location
    TN, USA
    Posts
    47
    If you have already had a server break in changing the SSH port and root password is too late. That server needs to be re-installed, and SSH port changed and disallow root logins to SSH.

    Unfortunately most people do not do simple things like changing the SSH port and disallowing root logins to SSH.

  8. #8
    Join Date
    Jan 2001
    Location
    Miami, FL
    Posts
    1,072
    that is a static IP based on the PTR.

    You need to contact the ISP accordingly.
    Biznesshosting, Inc. DBA VOLICO - Intelligent Hosting Solutions
    East Coast Enterprise Dedicated Servers and Miami Colocation.
    managed and unmanaged dedicated servers. High bandwidth colocation. Managed clusters.

  9. #9
    Join Date
    Apr 2009
    Location
    Louisville, Kentucky
    Posts
    47
    Quote Originally Posted by larwilliams View Post
    Too late now. 99% change there is a rootkit or backdoor running on the server, so your screwed.

    Time for an OS reload I would say.
    This what i get for being new in the hosting bussiness.
    Woof Hosting - Shared Hosting
    Friendly Staff | 256-Bit SSL Encryption!

  10. #10
    Join Date
    Apr 2009
    Location
    Louisville, Kentucky
    Posts
    47
    Quote Originally Posted by bizness View Post
    that is a static IP based on the PTR.

    You need to contact the ISP accordingly.
    I am going to be contacting xlhost.com as soon as they open at 9
    Woof Hosting - Shared Hosting
    Friendly Staff | 256-Bit SSL Encryption!

  11. #11
    Join Date
    Apr 2009
    Location
    Louisville, Kentucky
    Posts
    47
    Quote Originally Posted by rlxsystems View Post
    If you have already had a server break in changing the SSH port and root password is too late. That server needs to be re-installed, and SSH port changed and disallow root logins to SSH.

    Unfortunately most people do not do simple things like changing the SSH port and disallowing root logins to SSH.
    Ok i did a os reload, changed ssh port, disallow root logins to ssh any thing else i can do to help keep my server safe?
    Woof Hosting - Shared Hosting
    Friendly Staff | 256-Bit SSL Encryption!

  12. #12
    Greetings:

    https://ws.arin.net/whois/?queryinput=173.45.118.58

    The sad part is that we've sent abuse reports in the past to eNET Inc. / XLHost.com Inc and they appear to be ignored.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  13. #13
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Hire a security expert to lock down your machine.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  14. #14
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    Quote Originally Posted by WoofHosting View Post
    Ok i did a os reload, changed ssh port, disallow root logins to ssh any thing else i can do to help keep my server safe?
    I would recommend getting a good sys admin to do a hardening of your server.
    Cpanel/WHM PHP Perl Ruby Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  15. #15
    Join Date
    Apr 2009
    Location
    Louisville, Kentucky
    Posts
    47
    It have Server Hardening on it.
    Woof Hosting - Shared Hosting
    Friendly Staff | 256-Bit SSL Encryption!

  16. #16
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    Quote Originally Posted by WoofHosting View Post
    It have Server Hardening on it.
    Trust me, it doesn't. SSH was insecure, and that alone would indicate it was not hardened in the least. Conact PSM or another server management company, and get (at least) a one-time server hardening package.
    Cpanel/WHM PHP Perl Ruby Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  17. #17
    Join Date
    Apr 2009
    Location
    Louisville, Kentucky
    Posts
    47
    where can i find out about PSM?
    Woof Hosting - Shared Hosting
    Friendly Staff | 256-Bit SSL Encryption!

  18. #18
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    Quote Originally Posted by WoofHosting View Post
    where can i find out about PSM?
    http://www.platinumservermanagement.com/
    Cpanel/WHM PHP Perl Ruby Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  19. #19
    u are need sec your server or restore root password ?

  20. #20
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    780
    Hi,

    Some additional points:

    Quote Originally Posted by WoofHosting View Post
    ...
    Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
    Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
    Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
    Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.static.xlhost.com, authenticated.
    ...
    Were there any authentication failures before this line? like a set of continuous authentication failures and then root login? or was it directly a login ?

    If there were continuous failed and this line, then you might have been using a easy password that someone can second-guess.

    If it was a direct login, without any failures, then you need to ask yourself where you saved the password and how could anyone get a hold of it?

    Experienced OpenStack Admin For Hire
    regular as admin0 on freenode IRC on #openstack and #openstack-ansible channels

  21. #21
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,930
    If you're not using SSH keys only then your server is not secure.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  22. #22
    Join Date
    Apr 2003
    Location
    Earth
    Posts
    155
    Quote Originally Posted by JWeb2 View Post
    If you're not using SSH keys only then your server is not secure.
    What he said.. use keys

  23. #23
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by JWeb2 View Post
    If you're not using SSH keys only then your server is not secure.
    There are lots of other ways of securing a server; I'm afraid SSH keys are not a lot more secure than a password. (if the key file and password are stolen, they have just as much, or more, access).

    While it's nice to mention ssh security issues (such as locking ssh down by changing the port from default 22 and preventing direct root logins) that's only one tiny part of hardening a server. True, if you haven't got that right you're not looking at all good, but there are many other important things as well.

Similar Threads

  1. Server hacked : how can I find out how they are uploading files to my server?
    By listenmirndt in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-14-2007, 12:44 PM
  2. Replies: 77
    Last Post: 04-03-2007, 09:57 AM
  3. Replies: 6
    Last Post: 08-24-2006, 04:11 PM
  4. Plesk server hacked, hiring to move clients to new server
    By DaveNET in forum Employment / Job Offers
    Replies: 3
    Last Post: 07-30-2005, 09:56 PM
  5. Replies: 5
    Last Post: 08-05-2001, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •