my server was hacked!

[Lakeside5]

I just got this comment from a helpful person: 'You have a Perl script listening on port 10000. Any idea as to what it could be?

Dovecot is a POP/IMAP server. If you didn't install it yourself, you have a big reason to worry, it means someone got root on your server.'
Can someone tell me right now (I am freaking out!) what to do? should I turn my computer off? God knows what they are doing with my computer, and I can't host my website now anyway, it won't let me go there OR load localhost.

[OpSecShellshock]

Reinstall. If there's damage, there won't be a reliable way to account for all of it. You may eventually be able to put together a realistic picture of what happened, but it would take a while and you'd still end up reinstalling. Might as well skip the tedious stuff.

After reinstalling, if you still want to run a server, just make sure you check the configurations in the web-facing application to make sure you aren't just throwing it out there with default settings, and also make sure not to allow remote administration.

[Jive Turkey]

I would do more investigation before taking any drastic action. Dovecot could have been installed as a dependency of something else. In the case that you were actually hacked you will best be able to investigate by loading a liveCD. Can you restart the webserver service "sudo /etc/init.d/<webserverservicenamehere> restart"
This info might be helpful:

1. were you using a strong password?
2. were there any administration services running (ie VNC, ssh server, webmin, etc.)?
3. what is the output of "sudo netstat -a | grep 10000 && sudo netstat -a | grep LISTEN" (not from liveCD)?

In your situation I would want to know both if and how a breach occured, others might say just reinstall and stop worrying. You might want to pull the network plug after checking the netstat command and look at /var/log/auth too. If you really were hacked it would benefit you and all of us to figure out how.

[lisati]

Something doesn't add up here: on my server it's not dovecot that uses port 10000, but webmin, and even that's only accessible on my local network.

[Lakeside5]

Wow thanks guys for the quick response! This is what I got:


udp 0 0 *:10000 *:*
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *op3s *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *op3 *:* LISTEN
tcp 0 0 *:imap2 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:webmin *:* LISTEN
tcp 0 0 ubuntu.local:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:3128 *:* LISTEN
tcp 0 0 localhostostgresql *:* LISTEN
tcp 0 0 localhost:953 *:* LISTEN
tcp 0 0 *:microsoft-ds *:* LISTEN
tcp6 0 0 [::]:8009 [::]:* LISTEN
tcp6 0 0 [::]:http-alt [::]:* LISTEN
tcp6 0 0 [::]:domain [::]:* LISTEN
tcp6 0 0 localhost:953 [::]:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 15104 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 16740 /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 17756 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 18395 /tmp/keyring-mmaleT/socket
unix 2 [ ACC ] STREAM LISTENING 18401 /tmp/keyring-mmaleT/ssh
unix 2 [ ACC ] STREAM LISTENING 18407 /tmp/keyring-mmaleT/socket.pkcs11
unix 2 [ ACC ] STREAM LISTENING 18650 /tmp/seahorse-8OvG1S/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 18680 /tmp/.ICE-unix/5985
unix 2 [ ACC ] STREAM LISTENING 18694 /tmp/orbit-bosslady/linc-17a2-0-d5e8c35939e3
unix 2 [ ACC ] STREAM LISTENING 18944 /tmp/orbit-bosslady/linc-1761-0-7cfc3514b96f2
unix 2 [ ACC ] STREAM LISTENING 19087 /tmp/orbit-bosslady/linc-17a8-0-75082b9ee2e15
unix 2 [ ACC ] STREAM LISTENING 19173 /tmp/orbit-bosslady/linc-17a9-0-55b1696040cbf
unix 2 [ ACC ] STREAM LISTENING 14878 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 19743 /tmp/orbit-bosslady/linc-17c0-0-275bdbe0af495
unix 2 [ ACC ] STREAM LISTENING 17695 /var/run/gdm_socket
unix 2 [ ACC ] STREAM LISTENING 18622 @/tmp/dbus-TaJZ3sx5s1
unix 2 [ ACC ] STREAM LISTENING 21046 /tmp/orbit-bosslady/linc-179f-0-773a1c1fdbf73
unix 2 [ ACC ] STREAM LISTENING 26197 /tmp/.esd-1000/socket
unix 2 [ ACC ] STREAM LISTENING 26201 /tmp/pulse-bosslady/native
unix 2 [ ACC ] STREAM LISTENING 26242 /tmp/orbit-bosslady/linc-17d6-0-512fd552ad7ef
unix 2 [ ACC ] STREAM LISTENING 26337 /tmp/orbit-bosslady/linc-17ca-0-775f601d88586
unix 2 [ ACC ] STREAM LISTENING 26404 /tmp/orbit-bosslady/linc-17e1-0-6253d97275c5a
unix 2 [ ACC ] STREAM LISTENING 26575 /tmp/orbit-bosslady/linc-17f6-0-19e04c27a4713
unix 2 [ ACC ] STREAM LISTENING 26682 /tmp/orbit-bosslady/linc-1802-0-65a4c14c63e0
unix 2 [ ACC ] STREAM LISTENING 27369 /tmp/orbit-bosslady/linc-183f-0-25f227bac1a0f
unix 2 [ ACC ] STREAM LISTENING 27453 /tmp/orbit-bosslady/linc-183c-0-6ea549c1da4e9
unix 2 [ ACC ] STREAM LISTENING 27484 /tmp/orbit-bosslady/linc-1836-0-3155e1adf08be
unix 2 [ ACC ] STREAM LISTENING 27536 /tmp/orbit-bosslady/linc-1834-0-64f40be863a5a
unix 2 [ ACC ] STREAM LISTENING 27513 /tmp/orbit-bosslady/linc-1842-0-18f4c918a4036
unix 2 [ ACC ] STREAM LISTENING 27634 /tmp/orbit-bosslady/linc-1857-0-131145f7221f
unix 2 [ ACC ] STREAM LISTENING 27752 /tmp/orbit-bosslady/linc-185e-0-6e3d60b2da657
unix 2 [ ACC ] STREAM LISTENING 29195 /tmp/orbit-bosslady/linc-1906-0-10c02fbb89034
unix 2 [ ACC ] STREAM LISTENING 166246 /tmp/orbit-bosslady/linc-5166-0-9981e44f1efc
unix 2 [ ACC ] STREAM LISTENING 82106 /tmp/orbit-bosslady/linc-35f7-0-4da6e9c17913
unix 2 [ ACC ] STREAM LISTENING 17513 @/org/bluez/audio
unix 2 [ ACC ] STREAM LISTENING 241630 /tmp/orbit-bosslady/linc-6bde-0-7ef51e0c6e8e9
unix 2 [ ACC ] STREAM LISTENING 174095 /tmp/orbit-bosslady/linc-538b-0-6dca80dca9857
unix 2 [ ACC ] STREAM LISTENING 17755 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 17509 /var/run/sdp
unix 2 [ ACC ] STREAM LISTENING 16742 /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 16808 @/var/run/hald/dbus-l47cksY1Dk
unix 2 [ ACC ] STREAM LISTENING 90999 /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 16795 /var/run/dovecot/dict-server
unix 2 [ ACC ] STREAM LISTENING 16797 /var/run/dovecot/login/default
unix 2 [ ACC ] STREAM LISTENING 16802 /var/run/dovecot/auth-worker.5400
unix 2 [ ACC ] STREAM LISTENING 16835 @/var/run/hald/dbus-uSVwX0pAku
unix 2 [ ACC ] STREAM LISTENING 16070 /var/run/postgresql/.s.PGSQL.5432
unix 2 [ ACC ] STREAM LISTENING 14545 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 14834 /var/run/dbus/system_bus_socket
Jive Turkey I hear what you're saying (believe me I really don't feel like re-installing, it was hard for me to do it in the first place but......)
There are so many weird folders and files that I KNOW are new, and they all say I don't have permission to delete them and it is a lot of work to do that in the terminal, and then I won't know if I got them all.

[Jive Turkey]

I saw your other thread about having GIMP open when you woke up with a drawing having been started not by you. Unfortunately I'm not really qualified to be of much help with the postmortem on this. This is probably going to end with a reinstall. Some other forumites may be able to help more.

I suggest you boot with a live CD and snnop through the dovecot configs and all of the logs. If you aren't sure what you are looking at you might consider just reinstalling. My curiosity wants to find if it was a 0day exploit or just weak security config but I doubt either of us have time to figure it out.

[theozzlives]

Set up iptables and close the ports you don't use.

[HermanAB]

Howdy,

Webmin listens on port 10,000.

Provided that you use decent passwords on ALL accounts and you do not install VNC, your system will be secure.

[cdenley]

That netstat output sucks. Use this command

Code:

sudo netstat -tulnp

That will list all listening TCP or UDP ports with numeric port numbers and the process name. Also, post output with "CODE" tags.

[CODE]
output goes here
[/CODE]


I believe webmin not only listens on TCP 10000, but also runs from a perl process. Did you install webmin? You shouldn't be installing stuff like webmin if you don't even know what port they listen on. Did you do a server install? If so, did you select the "mail server" box during install?

[Lakeside5]

"That netstat output sucks" LOL

Unfortunately it won't let me do anything anymore, tried to enter your netstat command but I got this: ******y@ubuntu:~$ sudo -i
sudo: /var/run/sudo owned by uid 1000, should be uid 0
[sudo] password for*******:
Sorry, try again.
[sudo] password for*****y:
....I think I should re-install? Might as well go with the total re-install, so what is the highest stable Ubuntu version without any known bad security problems? Thanks. Also, I had enough trouble installing the first one so I need a good guide I can download and transfer to my other computer (windows) and read.

*edit I'm trying to see how much RAM I have to install Lucid Lynx (also wondering if I should install Lycid Lynx) and this it what the terminal shows: total used free shared buffers cached
Mem: 945 931 13 0 24 329
-/+ buffers/cache: 577 368
I'm not sure what that means, I thought it would show I had 200MB of ram, which is stil too little. Not sure what to do here.