Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Got hacked , now what ?

  1. #1
    Join Date
    Sep 2006
    Location
    Spartanburg , SC
    Beans
    20
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Got hacked , now what ?

    Hello Everyone ,
    Someone caught me slipping , and exposed my noobness to the world and used my VPS for spamming.
    My question is this , how do I go about finding out how they got in. I checked my auth.log and nothing seemed strange , except for something about a PAM/dlopen not being able to complete.
    The only ports open are http,ssh,mysql (local only) and glassfish ( running as glassfish user ).

    Thanks

    P.S Don't smack me too hard

  2. #2
    Join Date
    Jan 2010
    Location
    Australia
    Beans
    544
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Got hacked , now what ?

    Out of curiosity, how do you know it was used for spamming?

  3. #3
    Join Date
    Sep 2006
    Location
    Spartanburg , SC
    Beans
    20
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Got hacked , now what ?

    I got a message from my VPS provider that my server had been reported for spamming =(

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Got hacked , now what ?

    First you should ask your VPS provider for details. If they are confident you were compromised they should share what they know.

    Of those services my guess would be they got in via ssh.

    Since you are new to all this I suggest you first read the security sticky.

    Then back up your VPS data and re-install your VPS.

    In the future, if you run ssh, use keys, disable passwords, and use a service such as denyhosts or fail2ban.

    If you are interested you could image your VPS and try to run forensics.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #5
    Join Date
    Jan 2010
    Location
    Australia
    Beans
    544
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Got hacked , now what ?

    I always run SSH on a non-default port. I suggest everyone do the same.

  6. #6
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Got hacked , now what ?

    Quote Originally Posted by Ryan Dwyer View Post
    I always run SSH on a non-default port. I suggest everyone do the same.
    That does not help much, the non-default port is easily discovered (so take care). You need to user strong passwords (at a minimum), although I prefer keys only.

    In addition consider denyhosts or fail2ban or a few rules in iptables.

    If your ssh server is secure, the port does not matter, although you get more noise in the logs with a port of 22.

    My point is, just changing the port is insufficient to secure ssh.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #7
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: Got hacked , now what ?

    +1 to bodhi.zazen.

    I recently switched from running SSH on a non default port to port 22. Mine is using keys only, and I don't have DenyHosts or Fail2Ban installed - however, I have locked SSH down to accept connections from only a couple IP addresses, so that's pretty much as secure as it's going to get.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  8. #8
    Join Date
    Sep 2009
    Location
    Colorado
    Beans
    Hidden!

    Re: Got hacked , now what ?

    By using tools such as fail2ban, you potentially implement a DOS vulnerability on your server.
    17e0622bbe9bb1f8a5cc231ed260447a

  9. #9
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: Got hacked , now what ?

    Quote Originally Posted by ld.4lpha View Post
    By using tools such as fail2ban, you potentially implement a DOS vulnerability on your server.
    Explain?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #10
    Join Date
    Sep 2009
    Location
    Colorado
    Beans
    Hidden!

    Re: Got hacked , now what ?

    If someone spoofs your IP and throws a bunch of bogus login attempts at your server, it would add deny rules on your firewall for (or otherwise blackhole) your IP.

    This is true unless, of course, fail2ban provides some kind of "whitelist" functionality to prevent this from happening (which it very well may...I'm not certain, as I don't use the tool).

    So I guess I should have stated:

    "By using tools such as fail2ban, you potentially implement a DOS vulnerability on your server unless you take care to configure some form of 'whitelist' capability."
    17e0622bbe9bb1f8a5cc231ed260447a

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •