Results 1 to 8 of 8
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 03-11-2014 #1
- Join Date
- Nov 2010
Unauthorised root logins?
I am experiencing a strange behavior on one of my servers. The server is running CentOS 5.5 (Final) and Parallels Plesk Panel 9.5.4. I am the only one with access to the server and the server is only used for my own websites.
In the root folder i have found some PHP files which i have not uploaded myself. The files looks like they have been used to send out emails (se attached files below). When i run "last" i see there has been a root login from a ip which is located in Italy (where i have never been). When i discovered this i changed my root password asap. I also added the following line in .bashcr:
echo "ALERT - Root access on:" `date` `who` | mail -s "ALERT: Root access on server 7" *my email here*
So every time root login to the server, i get an email alert which contains the ip of the remote host. Now, i just recieved such alert and i have not logged into the server myself. Also the ip is located in another country then myself.
So i login to the server, change the password again and reboot the server. When the server comes back up i do "last root". But there i cannot find the unauthorised login that i just received an email alert about. Why do i not se this in the wtmp or wtmp.1 log?
After i added the command to .bashcr, i have experienced three unauthorised login. All with different root passwords. I always use a very strong password (min 10 chars/numbers/signs), so a bruteforce attack is eliminated. My question here is, how do they manage to keep logging in?
One thought was that i had som spyware on my computer, but i have scanned my computer with AVG and several other virus software and they did not find any.
- 03-11-2014 #2
Turn off allowing root to login. Force yourself and anyone else who might login to use and account and su to root.
With all you've said I don't know if I'd trust that server anymore, might be time to rebuild so you know exactly what state its in.
- 03-11-2014 #3
Turning off root login via sshd_coinfig might not be enough, nor is changing the root password.
This guy already has root, so there is no telling what was installed or changed on the machine.
Think: Root kits, trojans, etc.
Imho you need to install a second machine with an up-to-date operating system and recreate your service there.You must always face the curtain with a bow.
- 03-11-2014 #4
- Join Date
- Nov 2010
I agree. I plan to rebuild the server, but i am curious on how they keep geting into the server. Any ideas/theories?
Also, i wonder how the "hacker" would execute the PHP files i discovered? I cannot find any commands in crontab. Any ideas?
- 03-11-2014 #5
- Join Date
- Dec 2013
If they installed a trojan or worse on your machine who knows. A web search turns up some hits on that file. It's being spread some how and executed by browser I would say.
An example of compromise:
Linux under attack: Compromised SSH keys lead to rootkit | ZDNet
- 03-12-2014 #6
this and have a thorough read through. It is both scary and educational (especially if you are a web coder / admin)"I used to be with it, then they changed what it was.
Now what was it isn't it, and what is it is weird and scary to me.
It'll happen to you too."
The Fifth Continent
- 03-12-2014 #7
- 03-23-2014 #8
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
There are well-known security holes in php, most of which have been fixed, but a lot of sites are still using vulnerable versions. As said by others, install an entirely new system with latest patched code, disable root logins, make all your web pages and directories read-only, and keep your system patched on a daily basis (or at least a weekly basis). Once updated/patched, restart all of your services so they will incorporate the fixes you installed. Do note that unless you restart a service, it will still be using the old (buggy) software, such as shared libraries, executables, etc.
FYI, Linux.com and LWN.net both publish daily lists of security patches that have been issued by all the major Linux distributions. I read them daily... it is the first thing I do in the morning, and again in the afternoon. None of my systems have ever been pwnd, and I am at least partially responsible for several thousand web servers... When I see a vulnerability that may impact our network, I email the details to our operations and netops groups. Usually they are already familiar with the issue, but sometimes not. As the old saying goes, it is better to be safe, than sorry! Especially since we have to serve over 100 million users!Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!