| Posted by labeach, 11-02-2010, 11:57 AM | | I've used the great tutorials to lock down my system. Unfortunately, I had not plan if a breach did happen. So I'm wondering what I do now.
I got an email message from the server about a whm login in the wee hours in the morning from a country far away. Then I got an email of a login via SSH.
Outside of changing passwords, I am not sure how to check what he did. I'm worried he installed something malicious.
Any help would be much appreciated! Thanks
|
| Posted by Patrick, 11-02-2010, 12:02 PM | | Honestly, in a case like this, you're going to want to hire a server management company to take a thorough look. Be warned though, in some cases the only sure fire way to know there are no backdoors is to reinstall the OS from scratch and move the data over again.
Just for curiosity sake, do you know what Kernel version you were running?
|
| Posted by labeach, 11-02-2010, 12:27 PM | | CENTOS 5.5 i686
I don't understand how he was able to just log into whm first off as I have a brute force setup and that should've stopped any login tries. But there was just the one login no failures.
No one has my pw except me and my system scanned fine no viruses.
The data center installed a chkrootkit and found nothing and said they could not find any file uploads or file modifications from that ip address. Not sure how they checked that though. Not sure what else to do.
|
| Posted by Toby H, 11-02-2010, 12:31 PM | | Hi labeach,
Can you be more specific with the Kernel version for us? Jump into SSH and run this command:
uname -r
and post the output, you may need to update your Kernel version to secure your server, this is something that is critical to server security and should be checked frequently - or join CentOS' mailing list for email alerts to updates.
|
| Posted by labeach, 11-02-2010, 01:02 PM | | I will later. I went in and deleted the SSH keys and haven't set them up again yet. After the guy logged into whm, he then logged in via SSH so that is why I deleted them. I wish there was a way to know what he did.
This is a VPS btw. It is kept pretty up-to-date by the data center so I don't think it will be a problem.
|
| Posted by Thomas Manning, 11-02-2010, 02:05 PM | | Do you know exactly at what time he/she has logged into the server. If so, check the timestamps of you files/directories. Then you can find whether he has modified anything in your Server.
Hope your D.C guys can help you with that.
|
| Posted by speckl, 11-02-2010, 02:08 PM | | Wipe the os or you will never feel safe from future attack.
|
| Posted by labeach, 11-02-2010, 05:21 PM | | Ok wipe the OS clean. What else. Do I not have to worry about files put in the web directories?
|
| Posted by InoxHost, 11-03-2010, 07:04 AM | | Get rkhunter, chkrootking installed on your server.
|
| Posted by M Bacon, 11-03-2010, 02:22 PM | | Backup your files in the /home directory and mysql. Other than that. Don't backup your system files since you were breached.
|
|
 Add to Favourites
 Print this Article
|
