- Joined
- Sep 1, 2007
- Messages
- 334 (0.05/day)
- Location
- UK
System Name | Moose 5800X3D |
---|---|
Processor | AMD Ryzen 7 5800X3D 3.4Ghz 4.5Ghz Boost 96MB L3 Cache |
Motherboard | Asus Prime X570-P |
Cooling | Custom Liquid Cooling covering CPU and GPU including liquid backplate for graphics memory cooling |
Memory | G.Skill Trident Z RGB 32GB (2 x 16GB) DDR4 DRAM 3600MHz CL18 |
Video Card(s) | PNY GeForce RTX 3090 XLR8 Gaming 24GB |
Storage | WD Black SN770 2 TB PCIe 4.0 NVMe M.2 + Samsung 970 EVO 1TB PCIe NVMe M.2 + 2x WD Caviar Black 750GB |
Display(s) | AOC 34" CU34G2/BK Ultra Wide @ 3440x1440 |
Case | Thermaltake Level 20 HT |
Audio Device(s) | Creative Sound Blaster Z SE |
Power Supply | Corsair TX850M 850W Semi Modular |
Mouse | Razer Viper Ultimate |
Keyboard | Rii K61c |
Software | Windows 11 Pro |
I run a dedicated server over at OVH, which I mainly use for hosting websites (wilth LAMP), games servers and media for myself. Often I will test out things on it like vpns, proxies, virtual machines etc.
Today I noticed while looking through my home folder that two extra users had appeared called rootx and roott, which worried me somewhat especially as looking at their groups rootx was in the sudo group. I of course immediately deleted both users and changed the password of all other accounts and wiped any key files (there weren't any). The two accounts were made 14 days ago.
However the obvious horrifying thought is that a user had sudo access to my machine for 14 days, who knows what they installed with that access, plus any program installed could now give them root access! For starters I went into the web dir and found that b374k had been placed there, this is some kind of server manager that allows code to be executed (great). A proxy for facebook had also been made. Obviously I have deleted both.
Looking through auth.log there is only me logging in for the past month, so I haven't had my password hacked. The thing is how the heck did they do it? I had some rudimentary login scripts on the server that only had basic sql injection protection, could they have installed b374k via that then used it to create users?
What I guess I really need to know is can they simply redo what they did before and gain access again? I would prefer not to have my server ruined if they are more nasty than last time. Is there any log I should check to try and find out how they did it?
Today I noticed while looking through my home folder that two extra users had appeared called rootx and roott, which worried me somewhat especially as looking at their groups rootx was in the sudo group. I of course immediately deleted both users and changed the password of all other accounts and wiped any key files (there weren't any). The two accounts were made 14 days ago.
However the obvious horrifying thought is that a user had sudo access to my machine for 14 days, who knows what they installed with that access, plus any program installed could now give them root access! For starters I went into the web dir and found that b374k had been placed there, this is some kind of server manager that allows code to be executed (great). A proxy for facebook had also been made. Obviously I have deleted both.
Looking through auth.log there is only me logging in for the past month, so I haven't had my password hacked. The thing is how the heck did they do it? I had some rudimentary login scripts on the server that only had basic sql injection protection, could they have installed b374k via that then used it to create users?
What I guess I really need to know is can they simply redo what they did before and gain access again? I would prefer not to have my server ruined if they are more nasty than last time. Is there any log I should check to try and find out how they did it?