been hacked / rootkit

Changing SSH port is OK.. but it's not really the answer. You need to find out HOW they got in.. if it was via SSH, it's not because it was on port 22, it's because something was exploited/username and password guessed etc.

All changing the port does is stop people "stumbling" across the fact that SSH is open. Did they even get in via SSH originally? Or did they exploit another service which then allowed them to login via SSH? Did they even use SSH? Lots of different things to consider.

Anyway, it looks like you've moved to Debian now.. just keep up to date with security.debian.org - apt-get update/apt-get upgrade. Also subscribe to the Debian Security mailing list, so when new packages get uploaded, you can see if you use them and if so, get the upgrade done ASAP.
Of course, even this isn't completely safe, but then.. the only way to fully secure a server is to turn it off.. which isn't always ideal.. so it's the next best thing. :D

Good choice on choosing Debian! :)
 
DazW said:
Changing SSH port is OK.. but it's not really the answer. You need to find out HOW they got in.. if it was via SSH, it's not because it was on port 22, it's because something was exploited/username and password guessed etc.

All changing the port does is stop people "stumbling" across the fact that SSH is open. Did they even get in via SSH originally? Or did they exploit another service which then allowed them to login via SSH? Did they even use SSH? Lots of different things to consider.

Anyway, it looks like you've moved to Debian now.. just keep up to date with security.debian.org - apt-get update/apt-get upgrade. Also subscribe to the Debian Security mailing list, so when new packages get uploaded, you can see if you use them and if so, get the upgrade done ASAP.
Of course, even this isn't completely safe, but then.. the only way to fully secure a server is to turn it off.. which isn't always ideal.. so it's the next best thing. :D

Good choice on choosing Debian! :)
Click to expand...

I think it was through SSH, because when I logged in as root it said the last time it was logged in was through IP 79.117.98.85 and this IP had nothing to do with me. The root pass was still the same. Could have been through a different service then to SSH but was so difficult to tell. The logs had been tampered as had many of the other commands like top, ps.

Even if it was hijacked through another service, how would they have derived the root password ? I haven't stored it on the system and AFAIK its not available to read from anywhere? and the most you could do is reset it.

(I haven't changed the port, thats what someone else was doing.)
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom