Find the answer to your Linux question:
Results 1 to 7 of 7
Hi, Sorry I'm new to this forum, and I realise this issue might be addressed else where. If it is please drop me a link. It has been reported to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2008
    Posts
    1

    HELP ASAP! Hackers Using Our Server


    Hi,

    Sorry I'm new to this forum, and I realise this issue might be addressed else where. If it is please drop me a link.

    It has been reported to us via our ISP that hacking attempts have been made from our web test server using SSH Brute Force against other machines.

    We have removed the server from the net, and are installing a security suite.

    Could anyone please tell me:
    Which anti-virus you would recommend.
    Useful hints to help find who and where the attacks originate.
    And anything else relevant to making the server safe again.

    I'm including the log file bar the involved IP's (for obvious reasons).

    auth.log:

    Jan 15 11:19:38 myhost sshd[1211]: Did not receive identification string from **.**.**.**
    Jan 15 11:22:55 myhost sshd[1401]: Invalid user test from **.**.**.**
    Jan 15 11:22:55 myhost sshd[1401]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=**.**.**.**
    Jan 15 11:22:58 myhost sshd[1401]: Failed password for invalid user test from **.**.**.** port 59967 ssh2
    Jan 15 11:22:58 myhost sshd[1401]: Received disconnect from **.**.**.**: Bye Bye
    Jan 15 11:22:59 myhost sshd[1402]: Invalid user test from **.**.**.**
    Jan 15 11:22:59 myhost sshd[1402]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=**.**.**.**
    Jan 15 11:23:00 myhost sshd[1402]: Failed password for invalid user test from **.**.**.** port 60199 ssh2
    Jan 15 11:23:01 myhost sshd[1402]: Received disconnect from **.**.**.**: 11: Bye Bye
    Jan 15 11:23:01 myhost sshd[1406]: Invalid user test from **.**.**.**
    Jan 15 11:23:01 myhost sshd[1406]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=**.**.**.**
    Jan 15 11:23:03 myhost sshd[1406]: Failed password for invalid user test from **.**.**.** port 60361 ssh2
    Jan 15 11:23:03 myhost sshd[1406]: Received disconnect from **.**.**.**: 11: Bye Bye
    Jan 15 11:23:04 myhost sshd[1407]: Invalid user test from **.**.**.**
    Jan 15 11:23:04 myhost sshd[1407]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=**.**.**.**
    Jan 15 11:23:06 myhost sshd[1407]: Failed password for invalid user test from **.**.**.** port 60544 ssh2
    Jan 15 11:33:03 myhost sshd[1407]: fatal: Timeout before authentication for **.**.**.**

    Please be clear and complete in responses, I'm not as experienced with Linux as other OS

    Thank you in advance.

    Concerned.

  2. #2
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733
    Welcome to the forums!

    I don't run any servers so don't have any specific help to offer, but take a look at this security howto for some ideas that might help to solve this issue:

    http://www.linuxforums.org/forum/lin...-security.html
    oz

  3. #3
    Linux Engineer rcgreen's Avatar
    Join Date
    May 2006
    Location
    the hills
    Posts
    1,134
    Chances are that they had root access. This was probably
    because of an attack against one of your services. Keep up to
    date on security upgrades for the services you run (apache or
    whatever).

    The right thing to do is format and reinstall the OS on that server.
    This way you are sure to remove everything. It's not a virus, in the usual
    sense of the word, but UNIX/LINUX security is a whole science in itself.

    Remember that those who attack servers are very motivated,
    so you must run an up to date system. Subscribe to any newsletters
    from the distributors/maintainers of your software.

    There are security oriented forums also.

    *nix Security Discussions - Antionline Forums - Maximum Security for a Connected World

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by HelpMeASAP
    auth.log:

    Jan 15 11:19:38 myhost sshd[1211]: Did not receive identification string from **.**.**.**
    Jan 15 11:22:55 myhost sshd[1401]: Invalid user test from **.**.**.**
    Jan 15 11:22:55 myhost sshd[1401]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=**.**.**.**
    Jan 15 11:22:58 myhost sshd[1401]: Failed password for invalid user test from **.**.**.** port 59967 ssh2
    Jan 15 11:22:58 myhost sshd[1401]: Received disconnect from **.**.**.**:
    Personally, I don't see anything in that log that indicates you've been compromised (which doesn't mean you haven't been; I just don't see anything that would make me believe that).

    I see a port scan and an attempt to login as a user called 'test'. That's it.

    Does your sshd service need to be available to the entire world? If not, allow only the needed subnets using iptables or tcp wrappers (and deny everything else). If so, consider running an application like denyhosts or fail2ban.

    ----------------------------

    edit: Sorry, I missed this part.

    Quote Originally Posted by HelpMeASAP
    It has been reported to us via our ISP that hacking attempts have been made from our web test server using SSH Brute Force against other machines.
    That's a problem. Does anyone other than you have a shell account on that box?

  5. #5
    Linux Newbie PureGrain's Avatar
    Join Date
    Nov 2006
    Location
    Mt. Washington, Kentucky
    Posts
    154
    I go along with what was posted above about re-image but if by chance you want to run a program that will help detect if a rootkit has been installed on your box try google for "chkrootkit" Click Here For Details

    This little program will check the most commonly used rootkits.
    LINUX - "The other white meat.."
    Registered Linux User #439112

  6. #6
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,042
    Quote Originally Posted by HelpMeASAP View Post
    We have removed the server from the net, and are installing a security suite.

    Could anyone please tell me:
    Which anti-virus you would recommend.
    Useful hints to help find who and where the attacks originate.
    And anything else relevant to making the server safe again.
    I'd read some of the linked information in previous posts before installing anything else on the server. If you have pulled the server off the net you have no risk, and installing packages now may destroy evidence.

    When you read some of the links you will see that working out how they got in, and the weakness in your current setup will help you keep them out later (you may already be aware of all of this - in which case just ignore my comments ).

    Also keep in mind you can trust nothing on a compromised system, the best approach is probably to backup data and do a fresh install. Work on the assumption all user account names and passwords are known.

  7. #7
    Linux Newbie PureGrain's Avatar
    Join Date
    Nov 2006
    Location
    Mt. Washington, Kentucky
    Posts
    154
    Just an FYI as I agree with the above statements as well. This is not a package that installs anything, you just un-tar it and run it.
    LINUX - "The other white meat.."
    Registered Linux User #439112

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •