Topic: Server Compromise?

[Crome]

Hi,

I cannot login to my server console with root. Even with SSH i get 'access denied'. I do am able to login with the admin account but how can I get into the server console with root-rights?

[wyron]

The password for admin and root is the same.
So, when in the server console as admin, press Alt+F2 to get a clear console to log into (as root). Alt+F1 will take you back to the server console.
Thats assuming you are sitting by the server keyboard. If you want to access the console from another machine on your local net, use Putty (get it from Tucows).
By the way: Read the Technicians Handbook on the Documentation page, it's worth the effort.

[Anonymous]

The strange thing is that I cannot enter a password when trying to login to the console. I get a 'user:' prompt and enter the username. After that I don't get a 'password:' prompt.

[wyron]

Do you mean that you press <ENTER> after entering the user name (root), and then the console just dies on you ? You don't even get a prompt ([root@yourserver root]#)?
Thats a new one for me. Sorry !

[Crome]

You've got it! I'm pretty sure my server got compromised. Running chkrootkit I get an 'infected' message on ifconfig and chkrootkit dies when scanning sshd.

I'm not at all that linux-guru so I think I'm going to install a fresh server instead of figuring out what's all wrong.

[wyron]

Hey, what version of SME are we talking about here ?
Not 5.5 or 5.6 by any chance ?

[Souley]

Can you post your configuration ...

Doing a fresh install is a good idea but before you must understand how they have hacking your box

Souley

[Crome]

It's version 5.1.2. with probably an unpatched SSL or SSH hole.

The fresh install will be done on new hardware so I will have the chance of figuring out who and what has been compromising the server.

Could you tell me how I can post my config? I'm not at all that SME/linux-guru...

What are the next steps to follow once chkrootkit has found infected items?

[Souley]

Look the log files to see any suspiscious access

SSH acces is enable from internet ?

Give a maximum of information aubout your configuration and i will try to help you

[Crome]

SSH acces is enable from internet ?

No, only from inside LAN.

Well, I can already tell you someone had root access on my server because I can see an external IP-adres as last login at the console prompt when I login as root...

I can not reach my server during daytime. Tonight I will check out some more if I have time.

Thanks anyway for sticking with me...

[Souley]

I wait for fresh news  

Souley

[Crome]

Souley,

Don't wait any longer...  

I have installed a fresh 6.0.1-01 custom ISO and copied all data and have taken the old b!tch offline. I haven't got the time to look at it right now. I'm pretty sure I got hacked through an openssl bug. I tried to patch it before on my 5.1.2 but to no avail.

Keeping up with the patching is a must, at all times, with all OSes.

Cheers.

[Souley]

Has you like
Good luck with security issues