[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
[ Next by date /
thread => ]
Re: [LUG] Server got hacked
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] Server got hacked
- From: Simon Avery <digdilem@xxxxxxxxx>
- Date: Mon, 25 Nov 2013 15:57:26 +0000
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=dmB4TEfnya15QeLN/iAE/M9jXul0C2Th1VDwzbn4JSA=; b=jO/CruJFO9ubXD0InCRb2BTH60wZ4i1lUa3hFCXFlzPa8sud6C6Z4bOiGwIp4OXO3n mOs/3mq063g/huxma9WME5Nu5OYDhFL7fMe7p19OLfgmpiIh6rBHE0JM3sKrNlLnQGFG o06H9hANF8aIFeBK56Vr/ho/yOPgtTiysUEAq9M6Utrj6CcAFA+97o3ultpsUkPLuPHc 9o1D6YzZATzupAcAwkc1/YdIEL2EHlKBThKo3WmaAunjiuWPOueK9pMlKD3mkfb+wMPO WAqaL/RauK8qRCA5XHH7yKRjKCz1UojwmhHuBQEgNGYNc9JP8jwnTMSByxg9Qpc3IYpS 9Opw==
What Rob says. Step 1 in any new server install I do is disable root access in ssh - it's a major attack vector. Running a honeypot for a while showed this was pretty much exclusively the username attempted.
Basics for ssh:
Turn off root access. login to a username and su or sudo -s if you want a root shell once in.
Turn off internet access to ssh, and if you want it, move the port off 22. None of the scripts I've seen attempt any other port. And as suggested, turn off passwords and go keys only.
And stinga - don't assume it's a no-nothing kiddie; they knew enough to get past things you put in place to stop them. Standard advice once rooted is to wipe your system and start over - you cannot be sure what other ways in they've left behind; modified exes, hidden cronned scripts somewhere, obscure urls accessible... Etc, etc. Honestly, it's usually quicker and always more secure to chalk it up to experience and start over.
And of course, if you had any usernames, passwords, sessions/profiles account details on that box, assume they're now being spread around various hacker sites and change them - yesterday!
The Mailing List for the Devon & Cornwall LUG