Re: [CentOS] I've been hacked -- what should I do next?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Right ... however, if a weak account/passwd was created in useradd (for
backups) and if something was not done to prevent ssh logins for that
user, then someone may have logged into ssh via that account and port
22.

Yes, this is what happened. I have set the shell to /sbin/nologin for that account now, something I neglected to do when I created it.

There are many ways to combat this specific issue (use key only logins
to ssh, etc.). But the simplest way I have found (if you want password
access) is to use the AllowGroups option in /etc/ssh/sshd_config.

AllowGroups sshusers

That will make it so only people in the group sshusers can ssh in.

Excellent idea, I'll do this.

I would also highly recommend that you do not use port 22 for ssh from
the outside ... pick a non standard port (like 3333 or 22222, etc.) and
add this option as well to sshd_config

port 22
port 3333

You can then port forward port 3333 from linksys to 3333 on your centos machine ... you can ssh in via that port from outside and still use port 22 from inside your firewall (via other machines inside your firewall).
(you will also need to open up port 3333 tcp on iptables if you have
iptables on).

What about simply forwarding a non standard port from my Linksys router to port 22 on my CentOS system? This way I wouldn't have to reconfigure anything except for the router itself.

rkhunter and / or chkrootkit ... both good things.

I'll get them and run them when I get back home tonight or over the weekend.

Another thing to worry about is that once a user is logged in on that
machine and in, they may try to use a local use exploit to gain root
privileges.  So, you need to proceed assuming that they logged in as
backup ... and exploited to get a root shell ... and had access to
everything.

This is what I am worried about.

That would mean that you need to either reinstall or do:

rpm -V -qa

and figure out everything that is different and verify that you do not
have binary files for things like top, ps that have been modified to
hide certain things.

I ran this and will go over the output tonight.

Reinstall, that is my advise.

That's what I've done in the past too, but I am trying to avoid that option if possible.

Thanks for the quick response and advice.

Alfred

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux