Hello and welcome to LQ, hope you like it here.
Sorry to see it had to be on an occasion like this.
I need some help on checking if the server has been compromised!
Check these as reference of things to check:
- Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html
- Steps for Recovering from a UNIX or NT System Compromise (CERT):
http://www.cert.org/tech_tips/root_compromise.html
This will come in handy later on:
- LQ FAQ: Security references:
http://www.linuxquestions.org/questi...threadid=45261
I understand the box is a server on your LAN and used as SMTP. Is it in a DMZ or not?
- is all software up to date?
- did any auth data change other than the cyrus pass?,
- did any other (unexpected) logins occur in that period (also on adjacent boxen)?,
- did you check all system, daemon and firewall logs?,
- do you run a file integrity checker (Aide, Samhain or even tripwire)?,
- if none available, did you run your distro's package manager in verification mode?
- do/did you run Chkrootkit or Rootkit Hunter?
- find files changed (find, -mmin)?
* If unsure about anything reboot the box with a Live or Rescue CD for investigation. If you can't because critical business services are running you will need to plan for checking the box outside of business hours and/or failover the services to another box first, but don't wait like 24hrs before doing so. A compromise should be acted upon immediately.
userdel cyrus (I don't need it, was just testing stuff)
Disabling would have been "better": less changes means less things to verify until the situation is under control.
removed port forwarding rule, server in unreachable from the outside
Excellent.
can't block him on outgoing doh, he is a proxy server...
You can check processes for anomalies (log, save) and kill (restart) those.
---
@tito2502:
Probably some script kiddy, I imagine he looked at some files then tried an rm -rf then left.
"Imagining" things is not part of what incident response should be.
Instead work with facts: that's the only solid basis to work on.