Linux Debian Security Breach - what now? [closed]
Posted
by
user897075
on Server Fault
See other posts from Server Fault
or by user897075
Published on 2012-04-15T02:47:23Z
Indexed on
2012/04/15
5:34 UTC
Read the original article
Hit count: 533
Possible Duplicate:
My server's been hacked EMERGENCY
I installed Debian (Squeeze) a while back in my home network to host some personal sites (thank god).
During the installation it prompted me to enter a user other than root - so in a rush I used my name as user and pass (alex/alex for what its worth).
I know it's horrible practice but during the setup of this server I'm always logged in as root to perform configurations, etc.
Few days or a week passes and I forget to change the password. Then I finally get my web site finished and I open the port forwarding on my router and DynDNS to point to my server in my home. I've done this many times in the past never had issues but I use a cryptic root password and I guess disabled regular accounts.
Today I reformat my Windows 7 and after spending all day tweaking and updating SP1 I look for cloning apps and find clonezilla and see it supports SSH cloning, so I go through the process only to discover I need a user, so I log into my web-server and see I have the user 'alex' already in and realize I don't know the password. So I change the password to something cryptic and visit the directory 'home' only to realize their are contents such as passfile, bengos, etc. My heart sinks, I've been hacked!!! Sure as hell there are all sort of scripts and password files.
I run a 'last' command and it seems they last logged in april 3rd.
Question:
- What can I do to see if they did anything destructive? Should I reformat and reinstall?
- How restrictive is Debian/Squeeze in terms of user permissions out of the box - all my personal website stuff was created using 'root' so changing files does not seem to have occured.
- How did they determine there was a user 'alex' on the machine? Can you query any machine and figure this out? What the users are? Looks like they tried to run a IP scan...other nodes on the network are running Windows 7. One of which seems a little wonky as of late - is it possible they buggered up that system?
What corrective action can I take to avoid this from happening again? And figure out what might have changed or been hacked? I'm hoping debian out of box is fairly secure and at best he managed to read some of my source code. :p
Regards, Alex
© Server Fault or respective owner