0

I have read the following posts which didn't answered my questions:
- My linux server was hacked. How do I find out how and when it was done?
- How do I know if my Linux server has been hacked?
- and much more...

The server setup was this:
- the Ubuntu server was after a router (Cisco EA6500) and didn't had port forward (uPNP is enabled).
- the stupidest idea was to have a user called user with password user.

Today I entered on the php webeditor which connects by ssh and didn't accepted the password. I found out that the server might have been hacked.

I found the followings:
- all the server files timestamps are changed to my last login date (today)
- there was one cronjob /dev/shm/- /.ICE-UNIX/update >/dev/null 2>&1 added friday
- there was an error on ubuntu start-up that said "error variable ROOT isn't set"

What I did:
- recover password by recovery console
- setting up a small firewall which got some attempts to get into ssh.

Questions:
- How do i know what has been changed?
- How did they get in if there was no ssh port exposure?

Later Edit: They have left the logs intact and I found out that they entered by ssh and changed the password. There were a lot of ssh login tries over the past weeks. I have reinstalled the system, moved the port, installed a firewall and I'm inspectting the router. It definitely has security holes. Thank you all!

Community
  • 1
machineaddict
  • 159
  • 2
  • 3
  • 12

1 Answers1

9

I wouldn't trust that machine anymore, and would reinstall and probably scan for rootkits (some rootkits even survive formatting of a drive).

If you care about security, my personal advice would be to restart fresh.

Nomad
  • 128
  • 6
  • Regarding your question - you really can't know what has been changed. Unless you have everything in a versioning system or manually compare it with a backup. – Nomad Aug 11 '14 at 08:42
  • I guess I would have to do that. But I would like to know what has been changed, to know the security hole. That's very important. – machineaddict Aug 11 '14 at 09:09
  • Well, you mention the PHP/SSH-login thing, that's likely to be it. Usually these systems have a configuration file, like server.com/configuremystuff.php - attacks are often used against these, as they are well-known and often have security risks. You also mention a very bad username/password, it is likely someone scanned the ports on your server and found a port with SSH active - you said you used some webeditor that connects through SSH, so some SSH port should be active? – Nomad Aug 11 '14 at 09:16
  • 2
    SSH scans and brute force attacks are extremely common. I get attempts every day. Don't allow root logins, if you're in control of ssh settings. – Nomad Aug 11 '14 at 09:17
  • but how did they get past the router? the ssh port isn't accesible fron WAN. – machineaddict Aug 11 '14 at 09:30
  • If that is the case, then through your webpage providing such access, I would guess. – Nomad Aug 11 '14 at 09:32
  • Thank for your help. I have accepted your answer, even though it's not quite the answer to what I asked. However, you helped me ;) – machineaddict Aug 14 '14 at 09:10
  • Did you find the flaw? If it's through the web page, you would be able to find logs in /var/log/httpd-access, or the like. – Nomad Aug 14 '14 at 09:49
  • i edited my question. you can see there how "they" got in. – machineaddict Aug 14 '14 at 13:29
  • "Some rootkits even survive formatting of a drive" [citation needed] - in the context of this discussion (a remote exploit), I do not believe this is currently possible. The only rootkits that can survive a complete reformat involve physical access to inject code into the BIOS, no? – Phil May 11 '15 at 16:43