D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] Server got hacked


They got in via the root password.
I am pretty sure it wasn't brute forced.
Didn't see a lot of failed attempts at login and I block ip's that fail after 5 times, could have been a low level attack over months I suppose. Other way was I have discovered the root password and the mysql DB password where the same, so it might have been exposed in some web script and they took a punt on it being the same.

Hacker tried to install a botnet, but due to the complicated setup they couldn't get it to work.
Created a user 'mark'

Just altered sshd config to only allow those that need ssh access and root access from my ip address.
And cleaned out all the failed scripts.
Think it was a script kiddy who didn't know much, since it would not have been that hard to work out what was happening.

Bit more concerned on the the root password guess, had not been changed for a while it turns out either, so going to have to fix that issue.


Email: stinga+dclug@xxxxxxxxxxxxx   o
You need only two tools.        o /////
A hammer and duct tape. If it    /@   `\  /) ~
doesn't move and it should use  >  (O)  X<  ~  Fish!!
the hammer. If it moves and      `\___/'  \) ~
shouldn't, use the tape.           \\\

The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq