Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
@skyred5: please post feedback confirming you understand what you need to do or else ask more detailed questions.
hey sorry for the late reply. Yes it seems that when I copy from the putty window, I copied without realizing that it's not the full thing. I have reattached the log that was generated and saved in the server.
I do have a question. I have always been accessing the server through PUTTY using root. If I'm not supposed to use root to access, then what is the recommended way?
I do have a question. I have always been accessing the server through PUTTY using root. If I'm not supposed to use root to access, then what is the recommended way?
Setup another user and use that to connect to your server via Putty. Once you are logged in, use "su" or "sudo su" to login as root.
Yes it seems that when I copy from the putty window, I copied without realizing that it's not the full thing. I have reattached the log that was generated and saved in the server.
Unfortunately you haven't. That said I've already presented my analysis and course of action basd on what you posted so just take it as me cautioning you to please be precise, OK?
Quote:
Originally Posted by skyred5
I do have a question. I have always been accessing the server through PUTTY using root. If I'm not supposed to use root to access, then what is the recommended way?
Only use public key auth and only SSH into unprivileged accounts. Then either use Sudo (or 'su' if you must) to perform ops that require root privileges. Additionally, if you can not limit SSH access to a private LAN only, see if you can use AllowUsers and AllowGroups sshd_config directives to limit, and add some proactive measure like fail2ban or equivalent.
Can I ask you what you have done so far? Have you isolated the machine? Have you informed others? Do you have a clear view of what you have to do right now?
Unfortunately you haven't. That said I've already presented my analysis and course of action basd on what you posted so just take it as me cautioning you to please be precise, OK?
Only use public key auth and only SSH into unprivileged accounts. Then either use Sudo (or 'su' if you must) to perform ops that require root privileges. Additionally, if you can not limit SSH access to a private LAN only, see if you can use AllowUsers and AllowGroups sshd_config directives to limit, and add some proactive measure like fail2ban or equivalent.
Can I ask you what you have done so far? Have you isolated the machine? Have you informed others? Do you have a clear view of what you have to do right now?
Hi @unSpawn, I realized while uploading the log file there is actually a limit to the upload size for this forum. Is there a way to send you the log by other means?
Setup another user and use that to connect to your server via Putty. Once you are logged in, use "su" or "sudo su" to login as root.
Quote:
Originally Posted by jefro
Take it offline.
Use known clean sources to recreate the server, update everything. Use hardened security and as many best practices as you can to avoid this.
I never find it much use to try to simply stop the malware.
Thank you all for the valuable advice. I will take note and apply it for my server. If you all could point me in the right direction as to how to do OS hardening for linux will be good! I have recommendations from my vendor to also rebuild the server.
I have recommendations from my vendor to also rebuild the server.
You will, in all probability, rebuild the server eventually. I can't see how you would feel safe otherwise. What is at issue is doing enough now to be sure that you understand how you have been exploited this time, for, without that knowledge, you will not know for sure what was wrong this time and what you have to do better next time.
I mean, you will get lots of people advising you to do all sorts of stuff that is 'best practice', and that's all nice and well meaning, etc, but it doesn't actually mean that you have blocked off the hole that was used to exploit you, unless it includes every bit of best practice in the universe. (And, I don't think you have time for that, at least currently.)
Well, the most feasible entry for the exploit I can think of right now is the server not being updated on a timely manner, kernel and all. If you have the resources to further investigate on the exploited server, then you must do so and setup another server; do not rebuild the compromised server.
Hi @unSpawn, I realized while uploading the log file there is actually a limit to the upload size for this forum. Is there a way to send you the log by other means?
You could post or upload only the part that's missing? Meaning
That said I've already posted my analysis and course of action in post #11, so you want to start post-mortem please first answer my previous questions as I first need to know if others where alerted of the incident and if the system was isolated from the Internet.
Still too large. I've uploaded to my own google drive. Link here.
Quote:
Originally Posted by unSpawn
That said I've already posted my analysis and course of action in post #11, so you want to start post-mortem please first answer my previous questions as I first need to know if others where alerted of the incident and if the system was isolated from the Internet.
Yes I have done as what you have mentioned, and have informed the relevant people in my company.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.