Recently my server was hacked. I have lots of questions for you Linux experts.
1.And I was wondering if there is any turnkey solution to check out the vulnerabilities of the server. E.g. the software should be able to simulate a hacker and try to hack into my server then notify me of the vulnerability.
The information on Linux security is just too overwhelming so I was thinking if there is any easier solution for this. If not then someone should try compile one as I believe it would benefit Linux newbies like me.
2.As for my server, someone hacked into it by uploading phpmyshell program.
But how can he gain access to other accounts from there??
3. He was dumb enough to leave traces in my /var/log/wtmp
I got his IP address and the time he logs in.
I went to FTP section and downloaded the raw FTP log.
I nabbed that fella!
188.8.131.52 - - [25/Jun/2004:06:51:20 -0400] "GET / HTTP/1.1" 200 660 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; 118K501TUR)"
Went to http://www.ip2location.com/free.asp
to check out the IP:184.108.40.206
"220.127.116.11 TR TURKEY"
Then I used IP tables to block the whole class C IP.OK I am mean. lol
iptables -I INPUT -s 18.104.22.168/24 -j DROP
Now what should I do with it?
4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how????
Thanks in advance for your help! I will update you guys regarding the situation.