• My VPS got owned, what now?
    8 replies, posted
My VPS (shankshock.com) was apparently broken into, and the person uploaded a tarball with four websites and another tarball with a CentOS install image. [media]http://i.imgur.com/KVFLT.png [url]http://i.imgur.com/fyVZm.png[/url] [url]http://i.imgur.com/xMeF1.png[/url][/media] The files were owned by root, so I did this: - Locked out root - Changed all the passwords - Changed ssh port - Now using ssh private key authentication - Made sure all other accounts were locked too Anything else? I couldn't find a decent guide on iptables, but I'd love advice on that. I also need to change mysql stuff and some authentication salting, but other than that, I'm not sure what happened.
You said you locked out root, by that do you mean you turned off root login in ssh? Changing the SSH port may help, but it just makes it more annoying to work with. And they can still run nmap on you to find open ports. SSH private key authentication is also very good. Make sure you put a password on your key, and don't just leave it blank. The password is set when you create the key. Iptables is also something you should use. CentOS has it enabled by default. I don't have any advanced knowledge about it, but I just edit /etc/sysconfig/iptables, copy the line that opens up port 22 (it has 22 in it, so you'll know it when you see it, then change it to port 80 so I have both of those ports open. I don't know what else you could do with it. I also run a program called DenyHosts. If someone is trying to bruteforce through SSH, this program monitors your logs and adds the IP address of anyone who fails to login after X number of times to /etc/hosts.deny. Once they've been added to the list, all further login attempts will automatically fail even a successful login will be blocked. You can set the options like the attempt limit, and other stuff.
I locked the account out from logins (passwd -l) and disabled logging in through root. I also turned off PasswordAuthentication. The private key has a 24 character passphrase on it. I'm not using Cent, I'm using Ubuntu, but they have the package and I'd be glad to get more familiar with it. I installed DenyHosts as well. I'm still puzzled as to how they got in, and why they didn't extract the archives, and why they provided a free CentOS install dvd in the whole bundle.
if you're being targeting frequently, I'd look into honeyd
Okay, I have more information on who did it(IPs!) but access.log has no more information as to how they did it. Have a ton of GET requests, but nothing else.
I don't suppose you'd be willing to share the IPs?
122.167.95.86 122.167.70.4 96.44.188.15 113.171.52.205 Of them? Nah.
[QUOTE=nicatronTg;28868472]122.167.95.86 122.167.70.4 96.44.188.15 113.171.52.205 Of them? Nah.[/QUOTE] 122.167.95.86 - In india 122.167.70.4 - In india 113.171.52.205 - in vietnam It seems like he's behind a proxy. 96.44.188.15 - in USA ([url]http://96.44.188.15.static.quadranet.com/[/url])
Probably just a random botnet looking for easy targets.
Sorry, you need to Log In to post a reply to this thread.