Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: FireWire on April 02, 2004, 07:27:02 PM
-
Alright guys, here's the deal. I have a webserver setup on port 80.
When this happened the first time, my server just stopped working "externally". I was not able to access it outside my LAN.
So I formatted and reinstalled. It was working fine.
But when woke up this morning, the same thing is happening as first time.
I have a feeling I got hacked somehow, and probably by the same person.
The only clue that I can think of, is when I woke up during the night, the hard drive(s) of my server were spinning like crazy, the CPU usage was at 100%, and the internet was bogged down with INSANE traffic. That's when I think I was getting hacked...
Now the real problem is, how would I recover my server? How can I get it to work externally and on the web again and this time, prevent this rat bastard from hacking me again.
Thanks in advance.
-
What do your logfiles say? anything noticeably "odd" about them?
-
which version of e-smith/sme?
-
Assuming that you reinstalled using 6.0 +, or 5.6 with patches (especially the ssh one). Then, you probly have a trojan on your desktop. Double check.
If you are using 5.6 or older without pathes or older, there is a SSH security issue and will be broken in again.
Ed
-
It could be insecure webserver software, e.g. an unpatched *nuke or bullitinboard. Lots of options there. In addition, I know of several people who ran the server as server-only but open to the Internet. (I was one before I received a knock on the head by a Mitel tech). ;-)