Re: Debian Stable server hacked
Thanx for the replies so far.
Christian Hammers wrote:
Try "nmap" to see which services are reachable from the network.
Port State Service
22/tcp open ssh
80/tcp open http
443/tcp open https
from within the campus network adds:
Port State Service
21/tcp open ftp
139/tcp open netbios-ssn
Rich Puhek wrote:
NOTE: Ok, firewalled at the network border, but could poorly-secured
internal windows machines have been used as a springboard for an
The same goes for the below services, are you sure that all the
machines and people on the same side of the firewall are completely
trustworthy? This is a big hole if you're only firewalling at the
border of your campus network, and have a wide variety of machines
It's likely that there are numerous compromised systems wihtin the
campus, unfortunately. They could have used one of those, that's
possible. That means they must have exploited sshd, apache, apache-ssl,
proftpd or samba.
bind9 is open to a local 172.20-network (student housing), so is also
candidate... Can't rule it out, but i can't imagine i would be the only
one having problems...
mysql is only open to three of my other servers.
snmpd is only open to my monitoring server
Was anyone else logged in at the time? Perhaps one of your admins had
a weak or compromised password?
Nope. No one was logged in at that time. The few logins in the logfile
are accounted for.
Alan James wrote:
Maybe they brute forced the root password ? Do you have
"PermitRootLogin yes" in sshd_config ?
No, i didn't at that moment. But there's no sign of an succesfull root
login. Not in ps aux, not in netstat and no ssh traffic other than my
own session in tcpdump. I guess a brute-force would show up in the ssh
logfiles. Only thing there is four times "Did not receive identification
You say that you have apache and php4 installed. Are you running any
php applications that may have been compromised ? Although I'd expect
those to leave the attacker with access to www-data rather than root.
Thought of that myself. Checked the apache logfiles and went through the
scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 and
squirrelmail-1.4.0. But then there's still the www-data -> root question...