hi,
please forgive this long post, but i'm facing a huge problem with my server...
1) since a couple of weeks ago, i was getting a lot of spam by many contacts of mine. i suspected someone was hacking my server, so i installed and run clamav. a few threats were found in firefox cache, but nothing really serious. after a few days spam ceased, so i simply forgot about it...
2) a couple of days ago i set up a brand new access point in the warehouse. 2 powerline adapters bring lan over there, then the access point spreads a wifi signal. it seemed to work pretty fine, but...
i was in the office, working on my laptop (connected with wifi). i opened a ssh session on the server, then i moved the laptop in the warehouse.
internet connection was fine, but ssh session was stuck. i gave no importance to that, thinking it was related to some temporary connection bug.
i went back to the office, tried to reconnect to server and ssh did not come up still.
i rebooted both server and laptop, but i still could not connect to server with local network. i could connect to the server with the public ip using ssh, remmina and http, but not using local network.
now i can connect from one laptop to another, but none of them can connect to server or vice versa. network printers (attached to the server) do not work as well, nor server's samba shares.
looks like the server is not connected to local network, but it is!
Code:
laptop:/tmp $ ssh server
ssh: connect to host server port 22: No route to host
Code:
server:/tmp $ ssh laptop
ssh: connect to host laptop port 22: Connection timed out
i spent half of the night trying to debug this...
first i booted an old server backup (without clamav), but problems still occurs.
then i checked /var/log/auth.log, and found a LOT of these strings:
"Address 192.168.1.4 maps to server, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!"
i found a lot of documentation about this issue, and tried the 2 most common solutions:
- adding "UseDNS no", in /etc/ssh/sshd_config
- removing ~/.ssh/known_hosts
but none of them seemed to fix anything...
do you think my server has been hacked and used (maybe even now) to spam? the only modification i've done on my system, by now, is to disable ssh port forwading to server on the router... so no one can remotely connect to it...
ANY suggestion would be much appreciated...