My server appears to have been hacked, advice needed.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My server appears to have been hacked, advice needed.
I was experiencing some strange problems with my server today, so I restarted (something I am not used to having to do with Linux.) When Ubuntu started booting, it suddenly stopped and gave me a command line that looked very different from the terminal window I am used to. At this point I was very suspicious, so I started browsing around. I opened the /usr directory and there was only a folder called "lib", and the folders for the normal users were gone. I opened this folder and inside was a folder called "usplash", which has a file inside called "usplash-artwork.so". Almost everything on the hard drive is gone, and in the /var folder as well as almost every folder, there is just another folder called "lock". I am really confused as to why my server was hacked, as well as how the person did it (if it wasn't hacked then I am even more confused.) The server had only been up for 2 days and no popular web sites were hosted on it. Any help would be appreciated, as I don't want this to happen again. I haven't formatted the system yet, in case some of the files might be useful in helping me figure out what happened.
Are you getting any kind of errors displayed on the screen during the boot process that might suggest it's a hardware failure or filesystem corruption? Try booting using the installation CD s and see if it can identify the linux install.
Also could you describe some of the "problems" that you experienced before rebooting?
"BusyBox v1.01 (Debian 1:1.01-4ubuntu3) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/bin/sh: can't access tty; job control turned off"
Before I restarted, the strange things started happening in the GUI (I was using the GUI for a few minutes because I am somewhat new to Linux.) Pictures were disappearing, programs started running very slow, and normal commands such as "apt-get" weren't working.
There are no other messages when booting. Prior to the problems, I was just sitting down to the computer and opening the terminal. I didn't type any commands (in fact I had just gotten home from school at the time) and everything was working fine in the morning when I left.
Yeah, I would definitely try to reboot using your install CDs and go into repair mode. From there you can try to find any linux installations already on the disk and repair them if necessary. If the filesystem was hosed by an attacker, then it's unlikely that there is really going to be any evidence to try to find, unless you recovered the deleted filesystem off the disk but that is a fairly complex procedure that is not particularly user friendly. I think a hardware (disk) failure or filesystem corruption is equally as likely as a hack (if not more so).
it sounds like you might have been dropped to an initial ramdisk's shell... this would explain why all your stuff seemed to be gone... maybe check to see what "df -hT" shows to verify you are on the filesystem you think you are in... that said, there's a thread here with several accounts of the same issue on ubuntu... it seems to me like at least 2 people were able to fix this by editing their /boot/grub/menu.lst file (the idea being that it was automatically edited in an erroneous manner by an apt-get upgrade or something of that nature)...
I see nothing strange. As Win32sux said, you are in your initramfs so it is not your harddisk that you see, just an archive containing the minimal things for /sbin/init to run.
The command prompt I get doesn't recognize the sudo command, or any of the other commands that have been suggested to me as part of a fix. At this point I'm not worried about fixing the problem, just preventing it from happening again (I'm just going to reformat since I was planning on moving to a different hard drive anyways.) Also, after I format should I use Ubuntu 6.06 again or is it worth the download to use the new 7.04?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.