Hello everyone! First post and sadly it's not under good pre-tenses. My Linux server has been under attack off and on the last few days by a series of Chinese ip addresses, I'm not entirely sure what they are doing and how they are doing it.

My host beleived it was a possible error in my DNS settings, currently, there is no dns information included in my resolv.conf (I took it out just to test this) , my SSH password is secure but fail2ban has stopped trying to ban them. I'm unsure what logs to provide or what to look at.

I'm pretty stumped here and could appreciate the help! I am running Ubuntu 12.04


0746CC-XEON => 61.164.113.107 168Mb 161Mb 77.8Mb
<=

The ip address of the server is : 205.234.153.146 it appears to pass any dns reclusion tests. I pulled this up earlier from IPTraf as well.

http://i.imgur.com/XXOTX6P.png

At this point, unless someone has a less drastic move, I might suggest taking it offline. A new clean install (or maybe current lts) and put online long enough to add in patches and then add back apps and data. It could be that there is issue with your data in the form of a rootkit or even some virus. The entire web is under attack. Not sure there is a known way to stop all of it.

If there was a rootkit involved, would it be possible to find and destroy it?

I have not found it productive to fight a rootkit. There are too many variations that are entirely too good at finding ways to hide. I have recovered by replacing with a new build or by installing clean and restoring from backup. ( I HOPE you have several generations of backup! )

On my home network I have long offered a honeypot or two that 'APPEAR" vulnerable. After a number of breakin attempts they send the detected characteristics to my firewall and the criminals get blocked at the gate. I build the honeypots as virtuals and reload them periodicly form read-only images so that if a breaking is successful (unlikley, but I am not perfect so possible) the impact is strictly limited. So far, this has protected my 'real' servers nicely.

Well sure enough, I did some digging and hey! Rootkit found.
Now that I know that it was that I'm not worried, I can just backup what I need, clean it and start over.

I was worried that I was doing something wrong as far as blocking the incoming stuff went, I'm still somewhat new to all of this and I was really upset at myself for missing some huge obvious thing.

I know how the kit got in there, quick stupidity on my part, but nothing that I know not to make happen again. Thanks for the quick help guys, I really appreciate it!

See the "Toolbox" section of the shownotes from episode 130 of the Sunday Morning Linux Review. It might help.

http://smlr.us/?p=4142

Which one as it? Or if you don't know exactly which files got modified?


Kind of depends on what was installed and how long it was there in the first place. If root owned files got changed then you'll have to inform users, change all credentials and about the only things you can safely copy are those whose contents you can read and verify.


For some reading their distributions installation and security documentation, properly hardening and regularly auditing the machine, following best practices and using common sense goes a long way, for others it's back to the School of Hard Knocks until they (eventually) graduate ;-p

Plenty of us have been down the hard knock road. It hurts.

I'll second the question of which one and how did you find it?

Also how do you feel you let it on?

I can't get a name anywhere, but it's basically this one http://news.drweb.com/show/?i=5801&lng=en&c=5

Using two different rootkit chckers, I found warnings on both and logs pointed at >usr/bin/bsd-port/getty being a hidden process. And while I'm very good with my security for the most part, I let it on with a bad root password, we had it set to something simple just for an hour or to do a test on something. That's why I'm not even mad, very horrible mistake but if anything given how recent this rootkit is, use it as a good example of how quickly things can go south

I don't need a name either, just a list of file names (or better: contact me and discuss dropping off copies).


After the fact but you should know that best practices tell you that a) you don't allow root to ever login over a network, and b) you don't need to use weak passwords to be able to test something.