Portal Home > Knowledgebase > Articles Database > hacked - what do I do next?


hacked - what do I do next?




Posted by aww, 09-19-2011, 11:42 AM
It's that dreaded day. Three years without headaches and then... Host alerted me to root password being stored in /usr/include/gpm2.h Says sshd was compromised and they want to reinstall which of course I will let them do. But server cannot be trusted at this point of course. I've had CSF and rkhunter running and unless I missed an alert, nothing caught this So should I build a new container and migrate everything over (ugh) What kind of post-diagnostics can I do now for more insight? Why didn't they do more damage - there is no detectable foreign activity happening on the server, no data loss, etc.

Posted by gone-afk, 09-19-2011, 11:47 AM
OS? Control panel? SSH protocol? SSH key? Start by removing network connectivity to the machine, use the IPMI/KVM to spend some time analyzing the hack. Hire a professional if you don't know where to start. A common issue these days seems to be home computers getting a virus and stealing ftp and ssh passwords (keylogger), so check your computers too.

Posted by XSV, 09-19-2011, 11:50 AM
Have you noticed any other online accounts compromised? Have you scanned your local PC yet? Do you use long passwords that combine a mixture of letters (upper+lower case), numbers & symbols? Doing damage isn't always the goal, that's usually script kiddies, gaining control for current or future use was likely the goal.

Posted by dnki, 09-19-2011, 12:08 PM
Sometimes laptops/computers purchased online come with malware preinstalled

Posted by aww, 09-20-2011, 12:08 AM
Is there an updated version of this document or maybe WHT has an equivalent: http://web.archive.org/web/200902201...checklist.html This attack was sophisticated enough to replace sshd - but I still think it was done by an automated script and they may have never come back to collect their "payload".

Posted by LinuxSecurityExpert, 09-20-2011, 04:27 AM
The hard thing about being hacked is that it is difficult to tell exactly how far they penetrated your system. If they replaced sshd, they may well have modified the other important binaries like init. Since you cannot ever know the full extent of the attack, I recommend that you reload your server and restore your data. So long is that you're not running code out off the data that you will be restoring, you'll probably be safe. You may wish to Google for a Linux expert and hire professional help on this one. -Eric



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
High server load (Views: 558)
Setting up a DNS (Views: 610)