Help, someones accessing my Server

Tallon

So I have a VPS, and I've noticed someone has been logging in randomly here and there and running what appears to be software updates.

I've since changed the password, but wondering if anyone has seen this?

IP address is showing as China

Aug 21 08:53:47 CentOS-60-64-minimal sshd[23085]: reverse mapping checking getaddrinfo for host-95-104-9-85.customer.co.ge [95.104.9.85] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 21 08:53:49 CentOS-60-64-minimal sshd[23085]: Accepted password for root from 95.104.9.85 port 54241 ssh2
Aug 21 08:53:49 CentOS-60-64-minimal sshd[23085]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 21 09:03:31 CentOS-60-64-minimal sshd[23085]: pam_unix(sshd:session): session closed for user root

Also, here's just one of the commands they were running

bash-4.1# cd /tmp && wget http://nginx.org/download/nginx-1.2.2.tar.gz && tar -xzvf nginx-1.2.2.tar.gz && cd nginx-1.2.2 && ./configure --without-http_gzip_module --without-http_rewrite_module && make && make install && cd /usr/local/nginx/conf && cat /dev/null > /usr/local/nginx/conf/nginx.conf && ln -s /usr/local/nginx/sbin/nginx /usr/sbin/nginx

Any help appreciated

Running latest version of CentOS

timbyr

Well it looked like they were trying to set up a webserver.

Maybe to put up a spam page?

Although the thing I'm really shocked about here is the fact that you allow the root user to login in via SSH at all.

You can check /var/log/secure to see authentication attempts. Perhaps they brute forced your password.

Tallon

timbyr wrote: »

Well it looked like they were trying to set up a webserver.

Maybe to put up a spam page?

Although the thing I'm really shocked about here is the fact that you allow the root user to login in via SSH at all.

You can check /var/log/secure to see authentication attempts. Perhaps they brute forced your password.

Whys that? Should I use a sub account and remove the root account?

And yeah, /var/log/secure is where I got the above...

Ant

Tallon wrote: »

Whys that? Should I use a sub account and remove the root account?

You can keep the root account but it's advised to edit your sshd config file to prevent logging in as root.

I'm surprised the cracker didn't hide their tracks - seeing as how they had root access. However, some other attacker may have installed a root-kit. You could check with rkhunter(Rootkit Hunter) or chkrootkit (also, rpm -Va is useful for rpm-based distros) but I wouldn't fully trust that system again.

I'd do a clean reinstall of the OS and install either fail2ban or denyhosts to stop brute-force attacks on your SSH port. It's good advice to set up a non-root user who can use sudo. Ensure the user has a strong password - or better yet use SSH keys for authentication rather than passwords. Also, ensure your firewall only allows the bare minimum of TCP or UDP open ports.

humbert

How long was your root password btw?

Tallon

humbert wrote: »

How long was your root password btw?

Ten characters, but it was fairly complex. Have changed it now and will setup root access from my own IP only, then use a sudo account going forward

Khannie

How did you cop it by the way? Were you just keeping an eye on /var/log/secure or do you have some kind of warning system?

Tallon

Khannie wrote: »

How did you cop it by the way? Were you just keeping an eye on /var/log/secure or do you have some kind of warning system?

Logged into the console a few times to see command had been run, and the fact that I didn't recognise the IP

[-0-]

Never allow root to ssh. You really should wipe this system in case you are backdoored. The only reason someone would be doing this is to prevent others from owning you so they can keep the box for themselves.

Tallon

[-0-] wrote: »

Never allow root to ssh. You really should wipe this system in case you are backdoored. The only reason someone would be doing this is to prevent others from owning you so they can keep the box for themselves.

Well I can reset the server at any stage through the web interface or directly through the hosting crowd, so how would they 'keep the box for themselves'?

[-0-]

Tallon wrote: »

Well I can reset the server at any stage through the web interface or directly through the hosting crowd, so how would they 'keep the box for themselves'?

They were simply preventing other people from rooting you as well. They didn't want anyone else to take over the server.

Tallon

Thanks for all your help guys!

Panicked a bit when I seen it

puffishoes

Don't use passwords at all. setup ssh keys and disable use of passwords over ssh.

As said all ready. I'd wipe the VPS and only allow services you really need.

Tallon

puffishoes wrote: »

Don't use passwords at all. setup ssh keys and disable use of passwords over ssh.

As said all ready. I'd wipe the VPS and only allow services you really need.

Wiping and reinstalling what I have on it would be a MASSIVE undertaking! It wouldn't even be doable!

How do I setup ssh keys and disable passwords, and how does it work?

puffishoes

Tallon wrote: »

Wiping and reinstalling what I have on it would be a MASSIVE undertaking! It wouldn't even be doable!

How do I setup ssh keys and disable passwords, and how does it work?

Well, if you want to make sure it won't happen again....

why would it not be doable? no back up's etc?

this url is a few years old but should give you an idea of the concept.

http://www.aboutlinux.info/2005/09/how-to-setup-ssh-keys-and-why.html

Tallon

puffishoes wrote: »

Well, if you want to make sure it won't happen again....

why would it not be doable? no back up's etc?

this url is a few years old but should give you an idea of the concept.

http://www.aboutlinux.info/2005/09/how-to-setup-ssh-keys-and-why.html

Would I not have to reinstall all my applications and create new SQL tables and databases manually?

puffishoes

Tallon wrote: »

Would I not have to reinstall all my applications and create new SQL tables and databases manually?

Well I don't know what you have on the box but it shouldn't be too long for the sake of peace of mind.

for mysql you should be able to use the dump tool and then re-import the data back into the fresh mysql instance.

Mycroft H

Turn off root access entirely through your sshd_config. It's a massive security hole and there is really no need for it to be on. Set up a sudo account is the easiest way through visudo.

That's what I do and I've not had any problems. You can set up a ssh key system but I'm happy with sudo. Nice little tutorial for creating keys anyways http://paulkeck.com/ssh/

srsly78

That password did not get brute forced. You probably have a keylogger on your own pc.

Tallon

srsly78 wrote: »

That password did not get brute forced. You probably have a keylogger on your own pc.

I don't

humbert

srsly78 wrote: »

That password did not get brute forced. You probably have a keylogger on your own pc.

I have to agree. Brute forcing a complex 10 digit password does seem unlikely although I wouldn't instantly assume a keylogger.

Tallon

humbert wrote: »

I have to agree. Brute forcing a complex 10 digit password does seem unlikely although I wouldn't instantly assume a keylogger.

I've been logging in using an app on the iPhone for a good while now, possible that

humbert

Tallon wrote: »

I've been logging in using an app on the iPhone for a good while now, possible that

Unless the app itself is vulnerable. The connection would obviously be encrypted.

Saganist

Mmmm. I'd seriously think about wiping the whole system. As another user says. If they had root access at all they may have backdoored it.

I'd aslo echo not allowing root access via ssh, and using ssh keys&passphrases instead.

ssh-keygen etc.

What database are you using ? Should be handy enough to take a checkpoint/dump of the database and drop it on a clean install.

Khannie

Saganist wrote: »

Mmmm. I'd seriously think about wiping the whole system. As another user says. If they had root access at all they may have backdoored it.

+1. If I were a git and hacking other peoples boxes it would (literally) be the first thing I'd do.

Tallon wrote: »

Logged into the console a few times to see command had been run, and the fact that I didn't recognise the IP

Slightly confused by that. Is this some kind of console that the web company give you as opposed to an SSH session or something?

Can I ask (because I want to prevent myself being shafted) what version of CentOS was it and was it up to date with security patches?

Tallon

When you log into putty, it shows you the last ip that logged in and the cache file saves all the commands run so you can just scroll through them

syklops

[QUOTE=Tallon;80386884]Ten characters, but it was fairly complex. Have changed it now and will setup root access from my own IP only, then use a sudo account going forward[/QUOTE]

length > complexity. I'll find the xkcd diagram for you. Also, if your using ssh, you really should be using ssh keys, with a passphrase, it makes things much harder for the would be attacker.



Another advantage I have found of a loooong password using only letters, over a "complex" password is when on foreign keyboards, it can take you ages to find one of those complex charachters. Sometimes funny key combinations too.

Another tip, security wise is to use the hosts.allow and hosts.deny files to limit the IP addresses that can access the VPS. For example, you said the IP originated in China, so first off, block all chinese ranges. Obviously our wiley attacker can get around that so maybe tie it down to only Irish and Uk addresses?

One last edit I promise! OP, type man hosts.deny to learn how to use the hosts.deny. Don't get them confused and lock yourself out!

syklops

Khannie wrote: »

Can I ask (because I want to prevent myself being shafted) what version of CentOS was it and was it up to date with security patches?

It would be nice to know the version of Cent OS too. The Cent OS community themselves can be a bit slow to apply patches, and I am not sure how good the communication is between Red Hat and Cent OS. Not all security patches are published.


While a ten character password is pretty small for a root password over SSH, presumably the hosting company would have detected multiple logins. I find it unlikely the password was guessed or bruted. I've heard speak(in hushed whispers) of an SSH zero day. I've not seen any evidence yet, but I will be interested to see how this case pans out. OP, keep us updated!

peter4sks

Putty keyGen http://www.howtoforge.com/ssh_key_based_logins_putty

sf80

You need to reinstall the server and check everything you take from the old server for backdoors/changes. It's not something you 'really should do', it's something you have to do. Otherwise you just have to accept that your server is compromised.

Do you really need to run a server, is it just a personal thing that you could do without? You don't seem to have the skill to keep a secure server; start from scratch, learn about securing the server and it's services.