All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VPS compromised, what to do next?
Just found on of my main VPS is compromised earlier today: the hacker brute forced a test account I forgot to delete a couple months ago.
According to my munin graph, the VPS used < 4mbps out and < 6mbps in for about 8 hours, with tons of sshd process hanging there. Also I've noticed there was a process under that test account at /usr/sbin/httpd. In syslog I found many entries of "nf_conntrack: table full, dropping packet." --> I guess it was sending flood to someone?
The IP used by the hacker is 82.137.11.75, seems to be a Romanian IP.
Now I've killed all processes related to that account, deleted that account, rm'ed that /usr/sbin/httpd, changed my password and SSH port and installed fail2ban. The bandwidth usage seems to be normal now, and the load dropped to 0.0*.
What else should I do to clean that box, or should I back up the data & reformat?
Comments
The ideal solution imo would be to just reinstall and restore your critical data afterwards, so you can be sure no backdoors and such are left on your VPS.
Nuke it from orbit - only way to be sure.
Seriously - reinstall the OS.
Only exception is if you have some kind of tripwire-based sha1 of all files and can identify precisely which files were changed, deleted, or added since the intrusion. You probably don't, so I would reinstall.
joepie91 gave good advice, after you reinstall I recommend you change the default ssh port, most "hackers" are lazy and use ready made tools.
1)nano /etc/ssh/sshd_config
2)change the port line and save
3)/etc/init.d/ssh restart
Then block his IP (change the 222) doesn't work if on a bridge
iptables -A ACCEPT -s 222.222.222.222 -j DROP
Actually your best bet would to block all IP's that aren't yours depending on what you're using the VPS for, IDK how to do that off hand.
I know people get sick of hearing this, but seriously, vim!
Yes... people are sick of being told that their personal preferences are 'wrong'.
Vi/Vim are ok, but nano is much easier no klunky key combinations needed, just edit and save.
yes I did notice you prefer nano from the PS1 you posted in another thread
Im really wondering, what was the password of the TEST account?
test
Absolutely reinstall, better safe than sorry.
It depends on the usage. When writing a new file, I prefer nano (hence the default). If I'm making edits to an existing, I use vi/vim.
Preferences are like religion. It's great that you have them, but the rest of us really don't want to be preached to.
Im really wondering, what was the password of the TEST account?
A password with 8 chars, including upper and lower case letters and numbers, and not a common word. Perhaps just bad luck to me.
Heh... when a bot hacked my mail some time ago...
My password had letters, numbers, punctuation symbols... And I haven't used my mail in other computers except mine.
No virus... so, is weird lol
Install something like CSF/LFD or similar that blocks ip's after so many failed attempts.
Quote
Thank you all for the suggestions! Now I've completed the reinstallation.
Brute forced in maximal 1,5 days.
@LES no way.
Assuming only small letters and numbers (36 characters). Reduce it to 32 for simplicity. This means 5 bits per character. Total for 8 symbol password = 40 bits.
40bits = 1099511627776 combinations.
Even if you can try 1M / second combinations, this means 1099511 seconds are needed to try all combinations. This is 12 days.
But trying 1M/second combinations with ssh brute force doesn't seem possible. At most you can try several per second.
This was just a plain (offline) calculation, anyway 8 is just too short!
Just reinstall. I got a problem with a RO server years ago, and I just cleaned the rootkit... error, the guy (I, in fact, knew that guy, but later on I knew it was him), made a PHP giving access to the server again... so I preffered reinstall
@Aldryic
https://www.schneier.com/blog/archives/2012/03/the_security_of_5.html
I prefer to use vi/vim then nano, I find it easier but if I search words in a file I use nano (cntrl + w) I am not sure on the vi command to search.
When it comes to nano, I prefer le or joe instead. Maybe it's the reminiscence of old edit/wordstar days
@fan reinstall os, change default ssh port, accept only ssh keys.
happened to me before. someone got access to my smtp server and was sending a massive amount of spam.
/searchterm
I started with vi.
Then tried pico and nano. Went back to vi.
Then got a new religion and tried to do everything in emacs for a month, even wrong some elisp extensions, read a book...and went back to vi.
At this point, my fingers are completely wired.
me too. but i couldn't figure out anything.
If you can suffer through the first few weeks, then 75% chance you'll stick with it.
The first time I tried vi, I was a complete Linux noob. I was doing like my third install or so, and it was Gentoo. I was stuck on the command line, and had no clue how to do anything in vi or even how to close it. I ended up yanking out the power cord in frustration. I haven't touched vi since then.