Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Help, someones accessing my Server

  • 22-08-2012 4:24pm
    #1
    Closed Accounts Posts: 22,565 ✭✭✭✭


    So I have a VPS, and I've noticed someone has been logging in randomly here and there and running what appears to be software updates.

    I've since changed the password, but wondering if anyone has seen this?

    IP address is showing as China
    Aug 21 08:53:47 CentOS-60-64-minimal sshd[23085]: reverse mapping checking getaddrinfo for host-95-104-9-85.customer.co.ge [95.104.9.85] failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 21 08:53:49 CentOS-60-64-minimal sshd[23085]: Accepted password for root from 95.104.9.85 port 54241 ssh2
    Aug 21 08:53:49 CentOS-60-64-minimal sshd[23085]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Aug 21 09:03:31 CentOS-60-64-minimal sshd[23085]: pam_unix(sshd:session): session closed for user root


    Also, here's just one of the commands they were running
    bash-4.1# cd /tmp && wget http://nginx.org/download/nginx-1.2.2.tar.gz && tar -xzvf nginx-1.2.2.tar.gz && cd nginx-1.2.2 && ./configure --without-http_gzip_module --without-http_rewrite_module && make && make install && cd /usr/local/nginx/conf && cat /dev/null > /usr/local/nginx/conf/nginx.conf && ln -s /usr/local/nginx/sbin/nginx /usr/sbin/nginx

    Any help appreciated

    Running latest version of CentOS


Comments

  • Registered Users, Registered Users 2 Posts: 78 ✭✭timbyr


    Well it looked like they were trying to set up a webserver.

    Maybe to put up a spam page?

    Although the thing I'm really shocked about here is the fact that you allow the root user to login in via SSH at all.

    You can check /var/log/secure to see authentication attempts. Perhaps they brute forced your password.


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    timbyr wrote: »
    Well it looked like they were trying to set up a webserver.

    Maybe to put up a spam page?

    Although the thing I'm really shocked about here is the fact that you allow the root user to login in via SSH at all.

    You can check /var/log/secure to see authentication attempts. Perhaps they brute forced your password.

    Whys that? Should I use a sub account and remove the root account?

    And yeah, /var/log/secure is where I got the above...


  • Registered Users, Registered Users 2 Posts: 453 ✭✭Ant


    Tallon wrote: »
    Whys that? Should I use a sub account and remove the root account?
    You can keep the root account but it's advised to edit your sshd config file to prevent logging in as root.

    I'm surprised the cracker didn't hide their tracks - seeing as how they had root access. However, some other attacker may have installed a root-kit. You could check with rkhunter(Rootkit Hunter) or chkrootkit (also, rpm -Va is useful for rpm-based distros) but I wouldn't fully trust that system again.

    I'd do a clean reinstall of the OS and install either fail2ban or denyhosts to stop brute-force attacks on your SSH port. It's good advice to set up a non-root user who can use sudo. Ensure the user has a strong password - or better yet use SSH keys for authentication rather than passwords. Also, ensure your firewall only allows the bare minimum of TCP or UDP open ports.


  • Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭humbert


    How long was your root password btw?


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    humbert wrote: »
    How long was your root password btw?
    Ten characters, but it was fairly complex. Have changed it now and will setup root access from my own IP only, then use a sudo account going forward


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    How did you cop it by the way? Were you just keeping an eye on /var/log/secure or do you have some kind of warning system?


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    Khannie wrote: »
    How did you cop it by the way? Were you just keeping an eye on /var/log/secure or do you have some kind of warning system?
    Logged into the console a few times to see command had been run, and the fact that I didn't recognise the IP


  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    Never allow root to ssh. You really should wipe this system in case you are backdoored. The only reason someone would be doing this is to prevent others from owning you so they can keep the box for themselves.


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    [-0-] wrote: »
    Never allow root to ssh. You really should wipe this system in case you are backdoored. The only reason someone would be doing this is to prevent others from owning you so they can keep the box for themselves.
    Well I can reset the server at any stage through the web interface or directly through the hosting crowd, so how would they 'keep the box for themselves'?


  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    Tallon wrote: »
    Well I can reset the server at any stage through the web interface or directly through the hosting crowd, so how would they 'keep the box for themselves'?

    They were simply preventing other people from rooting you as well. They didn't want anyone else to take over the server.


  • Advertisement
  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    Thanks for all your help guys!

    Panicked a bit when I seen it :)


  • Banned (with Prison Access) Posts: 690 ✭✭✭puffishoes


    Don't use passwords at all. setup ssh keys and disable use of passwords over ssh.

    As said all ready. I'd wipe the VPS and only allow services you really need.


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    puffishoes wrote: »
    Don't use passwords at all. setup ssh keys and disable use of passwords over ssh.

    As said all ready. I'd wipe the VPS and only allow services you really need.
    Wiping and reinstalling what I have on it would be a MASSIVE undertaking! It wouldn't even be doable!

    How do I setup ssh keys and disable passwords, and how does it work?


  • Banned (with Prison Access) Posts: 690 ✭✭✭puffishoes


    Tallon wrote: »
    Wiping and reinstalling what I have on it would be a MASSIVE undertaking! It wouldn't even be doable!

    How do I setup ssh keys and disable passwords, and how does it work?

    Well, if you want to make sure it won't happen again....

    why would it not be doable? no back up's etc?

    this url is a few years old but should give you an idea of the concept.

    http://www.aboutlinux.info/2005/09/how-to-setup-ssh-keys-and-why.html


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    puffishoes wrote: »
    Well, if you want to make sure it won't happen again....

    why would it not be doable? no back up's etc?

    this url is a few years old but should give you an idea of the concept.

    http://www.aboutlinux.info/2005/09/how-to-setup-ssh-keys-and-why.html
    Would I not have to reinstall all my applications and create new SQL tables and databases manually?


  • Banned (with Prison Access) Posts: 690 ✭✭✭puffishoes


    Tallon wrote: »
    Would I not have to reinstall all my applications and create new SQL tables and databases manually?

    Well I don't know what you have on the box but it shouldn't be too long for the sake of peace of mind.

    for mysql you should be able to use the dump tool and then re-import the data back into the fresh mysql instance.


  • Registered Users, Registered Users 2 Posts: 9,313 ✭✭✭Mycroft H


    Turn off root access entirely through your sshd_config. It's a massive security hole and there is really no need for it to be on. Set up a sudo account is the easiest way through visudo.

    That's what I do and I've not had any problems. You can set up a ssh key system but I'm happy with sudo. Nice little tutorial for creating keys anyways http://paulkeck.com/ssh/


  • Registered Users, Registered Users 2 Posts: 7,157 ✭✭✭srsly78


    That password did not get brute forced. You probably have a keylogger on your own pc.


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    srsly78 wrote: »
    That password did not get brute forced. You probably have a keylogger on your own pc.
    I don't


  • Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭humbert


    srsly78 wrote: »
    That password did not get brute forced. You probably have a keylogger on your own pc.
    I have to agree. Brute forcing a complex 10 digit password does seem unlikely although I wouldn't instantly assume a keylogger.


  • Advertisement
  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    humbert wrote: »
    I have to agree. Brute forcing a complex 10 digit password does seem unlikely although I wouldn't instantly assume a keylogger.
    I've been logging in using an app on the iPhone for a good while now, possible that


  • Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭humbert


    Tallon wrote: »
    I've been logging in using an app on the iPhone for a good while now, possible that

    Unless the app itself is vulnerable. The connection would obviously be encrypted.


  • Registered Users, Registered Users 2 Posts: 1,333 ✭✭✭Saganist


    Mmmm. I'd seriously think about wiping the whole system. As another user says. If they had root access at all they may have backdoored it.

    I'd aslo echo not allowing root access via ssh, and using ssh keys&passphrases instead.

    ssh-keygen etc.

    What database are you using ? Should be handy enough to take a checkpoint/dump of the database and drop it on a clean install.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Saganist wrote: »
    Mmmm. I'd seriously think about wiping the whole system. As another user says. If they had root access at all they may have backdoored it.

    +1. If I were a git and hacking other peoples boxes it would (literally) be the first thing I'd do.
    Tallon wrote: »
    Logged into the console a few times to see command had been run, and the fact that I didn't recognise the IP

    Slightly confused by that. Is this some kind of console that the web company give you as opposed to an SSH session or something?

    Can I ask (because I want to prevent myself being shafted) what version of CentOS was it and was it up to date with security patches?


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    When you log into putty, it shows you the last ip that logged in and the cache file saves all the commands run so you can just scroll through them


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    [QUOTE=Tallon;80386884]Ten characters, but it was fairly complex. Have changed it now and will setup root access from my own IP only, then use a sudo account going forward[/QUOTE]

    length > complexity. I'll find the xkcd diagram for you. Also, if your using ssh, you really should be using ssh keys, with a passphrase, it makes things much harder for the would be attacker.

    password_strength.png

    Another advantage I have found of a loooong password using only letters, over a "complex" password is when on foreign keyboards, it can take you ages to find one of those complex charachters. Sometimes funny key combinations too.

    Another tip, security wise is to use the hosts.allow and hosts.deny files to limit the IP addresses that can access the VPS. For example, you said the IP originated in China, so first off, block all chinese ranges. Obviously our wiley attacker can get around that so maybe tie it down to only Irish and Uk addresses?

    One last edit I promise! OP, type man hosts.deny to learn how to use the hosts.deny. Don't get them confused and lock yourself out!


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Khannie wrote: »
    Can I ask (because I want to prevent myself being shafted) what version of CentOS was it and was it up to date with security patches?

    It would be nice to know the version of Cent OS too. The Cent OS community themselves can be a bit slow to apply patches, and I am not sure how good the communication is between Red Hat and Cent OS. Not all security patches are published.


    While a ten character password is pretty small for a root password over SSH, presumably the hosting company would have detected multiple logins. I find it unlikely the password was guessed or bruted. I've heard speak(in hushed whispers) of an SSH zero day. I've not seen any evidence yet, but I will be interested to see how this case pans out. OP, keep us updated!


  • Registered Users, Registered Users 2 Posts: 18 peter4sks




  • Registered Users, Registered Users 2 Posts: 252 ✭✭sf80


    You need to reinstall the server and check everything you take from the old server for backdoors/changes. It's not something you 'really should do', it's something you have to do. Otherwise you just have to accept that your server is compromised.

    Do you really need to run a server, is it just a personal thing that you could do without? You don't seem to have the skill to keep a secure server; start from scratch, learn about securing the server and it's services.


  • Advertisement
Advertisement