Server Hacker

Moose · May 28, 2015

I run a dedicated server over at OVH, which I mainly use for hosting websites (wilth LAMP), games servers and media for myself. Often I will test out things on it like vpns, proxies, virtual machines etc.

Today I noticed while looking through my home folder that two extra users had appeared called rootx and roott, which worried me somewhat especially as looking at their groups rootx was in the sudo group. I of course immediately deleted both users and changed the password of all other accounts and wiped any key files (there weren't any). The two accounts were made 14 days ago.

However the obvious horrifying thought is that a user had sudo access to my machine for 14 days, who knows what they installed with that access, plus any program installed could now give them root access! For starters I went into the web dir and found that b374k had been placed there, this is some kind of server manager that allows code to be executed (great). A proxy for facebook had also been made. Obviously I have deleted both.

Looking through auth.log there is only me logging in for the past month, so I haven't had my password hacked. The thing is how the heck did they do it? I had some rudimentary login scripts on the server that only had basic sql injection protection, could they have installed b374k via that then used it to create users?

What I guess I really need to know is can they simply redo what they did before and gain access again? I would prefer not to have my server ruined if they are more nasty than last time. Is there any log I should check to try and find out how they did it?

AsRock · May 29, 2015

where @Easy Rhino when you want him.

Rhyseh · May 29, 2015

There are a multitude of ways that your system could have been compromised.

This post is pretty detailed and should guide you down the right path:

http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server

Also this post should prove helpful:

http://security.stackexchange.com/q...ver-running-a-lamp-stack-for-commercial-e-com

Moose · May 30, 2015

Luckily for me there is nothing sensitive that I would be upset from losing especially as the server is backed up. However I feel the guides suggestion of nuking the server is perhaps too much as I don't want to have to reinstall everything.

remixedcat · May 31, 2015

I would have configserver firewall installed on the server. Also HUGE THING... are there any control panels like cpanel/interworx/plesk/etc?
Cpanel has CPHulk and it's awesome

I would also get cloudflare for the web end and it automatically blocks a lot of shady IPs including some proxies, bad VPN endpoints, etc.

I would also request a new IP from the host, althought it might cost a pretty penny if they charge you a "lax tax" for not being proactive enough.

Also I'd set your SSH access to work on key files and not passwords for extra security.
Putty guide: https://www.howtoforge.com/ssh_key_based_logins_putty

Aquinus · May 31, 2015

Do you have SSH enabled on port 22 with password auth enabled? That's a vector for an attack and I've known many people (myself included,) that have found people attempting to attack SSH (and with my former boss, succeeded in gaining access.)

I highly recommend switching SSH to a non-standard port, like 60022 instead of 22, then requiring RSA Public/Private key auth for all sessions. Password auth itself is a vector for attack and so it using port 22.

Moose said:
I had some rudimentary login scripts on the server that only had basic sql injection protection, could they have installed b374k via that then used it to create users?

I doubt it. If it were SQL injection it would only impact your database. Side note: That should never be a question. You should *always* handle SQL injection, there is never a time to not handle it.

W1zzard · May 31, 2015

Your best option when a server is compromised is a complete reinstall, then copy back your data, making sure that no backdoors have been added. Checking file modification times is a good first step to identify those, you might actually want to run that search on your server to see what files they changed.

like that:
http://stackoverflow.com/questions/...-the-files-have-been-changed-in-last-24-hours

getting root access via sql injection is not impossible, depends on your server setup.

Ahhzz · May 31, 2015

remixedcat said:
I would have configserver firewall installed on the server. Also HUGE THING... are there any control panels like cpanel/interworx/plesk/etc?
Cpanel has CPHulk and it's awesome

I would also get cloudflare for the web end and it automatically blocks a lot of shady IPs including some proxies, bad VPN endpoints, etc.

I would also request a new IP from the host, althought it might cost a pretty penny if they charge you a "lax tax" for not being proactive enough.

Also I'd set your SSH access to work on key files and not passwords for extra security.
Putty guide: https://www.howtoforge.com/ssh_key_based_logins_putty

+1 to that. I had a client who was hacked via RDP a few years ago, and after spending the weekend playing whack-a-hack from the house, blocking IPs via the router, I had the ISP give them a new static ASAP monday morning.

bdiddy · Jun 3, 2015

Aquinus said:
then requiring RSA Public/Private key auth for all sessions. Password auth itself is a vector for attack and so it using port 22.

This so much. Key auth is the way to go.

You could look into chroot jail, if you are feeling paranoid.

Moose · Jun 14, 2015

Thanks, I'll try setting up private keys and disabling login. Though I don't think they got in via ssh, there are many attempted attacks each day looking at the logs!

Only thing edited of significance were:
/etc/ssh/ssh_config and ssh_config~
/etc/subuid and subuid-
/etc/subguid and subguid-

Aquinus · Jun 14, 2015

Moose said:
there are many attempted attacks each day looking at the logs!

Get off port 22 for SSH. That will resolve 99% of your attacks on SSH. A lot of automated attacks come from machines scanning the internet for ports open on commonly used ports.

Solution: Don't use commonly used ports if possible.

remixedcat · Jun 14, 2015

And did you look into configserver firewall?

Moose · Jun 15, 2015

remixedcat said:
And did you look into configserver firewall?

Yer I'm looking into it, only thing is that I don't want it to make using the server harder!

remixedcat · Jun 15, 2015

Sometimes it's necessary tho for better security.

System Name	Moose 5800X3D
Processor	AMD Ryzen 7 5800X3D 3.4Ghz 4.5Ghz Boost 96MB L3 Cache
Motherboard	Asus Prime X570-P
Cooling	Custom Liquid Cooling covering CPU and GPU including liquid backplate for graphics memory cooling
Memory	G.Skill Trident Z RGB 32GB (2 x 16GB) DDR4 DRAM 3600MHz CL18
Video Card(s)	PNY GeForce RTX 3090 XLR8 Gaming 24GB
Storage	WD Black SN770 2 TB PCIe 4.0 NVMe M.2 + Samsung 970 EVO 1TB PCIe NVMe M.2 + 2x WD Caviar Black 750GB
Display(s)	AOC 34" CU34G2/BK Ultra Wide @ 3440x1440
Case	Thermaltake Level 20 HT
Audio Device(s)	Creative Sound Blaster Z SE
Power Supply	Corsair TX850M 850W Semi Modular
Mouse	Razer Viper Ultimate
Keyboard	Rii K61c
Software	Windows 11 Pro

Processor	AMD 3900X \ AMD 7700X
Motherboard	ASRock AM4 X570 Pro 4 \ ASUS X670Xe TUF
Cooling	D15
Memory	Patriot 2x16GB PVS432G320C6K \ G.Skill Flare X5 F5-6000J3238F 2x16GB
Video Card(s)	eVga GTX1060 SSC \ XFX RX 6950XT RX-695XATBD9
Storage	Sammy 860, MX500, Sabrent Rocket 4 Sammy Evo 980 \ 1xSabrent Rocket 4+, Sammy 2x990 Pro
Display(s)	Samsung 1080P \ LG 43UN700
Case	Fractal Design Pop Air 2x140mm fans from Torrent \ Fractal Design Torrent 2 SilverStone FHP141x2
Audio Device(s)	Yamaha RX-V677 \ Yamaha CX-830+Yamaha MX-630 Infinity RS4000\Paradigm P Studio 20, Blue Yeti
Power Supply	Seasonic Prime TX-750 \ Corsair RM1000X Shift
Mouse	Steelseries Sensei wireless \ Steelseries Sensei wireless
Keyboard	Logitech K120 \ Wooting Two HE
Benchmark Scores	Meh benchmarks.

Processor	Intel Core i7 5820k
Motherboard	MSI X99S-GAMING7
Cooling	Corsair H105
Memory	16GB G.SKILL DDR4
Video Card(s)	Gigabyte GTX1070 Gaming G1
Storage	Samsung 840 Evo 256GB
Display(s)	Acer Predator XB271HU
Case	Corsair 800D
Audio Device(s)	ASUS XONAR
Power Supply	Corsair HX850i
Mouse	Logitech G502
Keyboard	Filco Majestouch
Software	Windows 10

System Name	Moose 5800X3D
Processor	AMD Ryzen 7 5800X3D 3.4Ghz 4.5Ghz Boost 96MB L3 Cache
Motherboard	Asus Prime X570-P
Cooling	Custom Liquid Cooling covering CPU and GPU including liquid backplate for graphics memory cooling
Memory	G.Skill Trident Z RGB 32GB (2 x 16GB) DDR4 DRAM 3600MHz CL18
Video Card(s)	PNY GeForce RTX 3090 XLR8 Gaming 24GB
Storage	WD Black SN770 2 TB PCIe 4.0 NVMe M.2 + Samsung 970 EVO 1TB PCIe NVMe M.2 + 2x WD Caviar Black 750GB
Display(s)	AOC 34" CU34G2/BK Ultra Wide @ 3440x1440
Case	Thermaltake Level 20 HT
Audio Device(s)	Creative Sound Blaster Z SE
Power Supply	Corsair TX850M 850W Semi Modular
Mouse	Razer Viper Ultimate
Keyboard	Rii K61c
Software	Windows 11 Pro

System Name	RemixedBeast-NX
Processor	Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard	Dell Inc. 08HPGT (CPU 1)
Cooling	Dell Standard
Memory	24GB ECC
Video Card(s)	Gigabyte Nvidia RTX2060 6GB
Storage	2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s)	Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case	Dell Precision T3600 Chassis
Audio Device(s)	Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply	630w Dell T3600 PSU
Mouse	Logitech G700s/G502
Keyboard	Logitech K740
Software	Linux Mint 20
Benchmark Scores	Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P

Server Hacker

Moose

AsRock

TPU addict

Rhyseh

Moose

remixedcat

Aquinus

Resident Wat-man

W1zzard

Administrator

Ahhzz

Moderator

bdiddy

Moose

Aquinus

Resident Wat-man

remixedcat

Moose

remixedcat

System Name	Apollo
Processor	Intel Core i9 9880H
Motherboard	Some proprietary Apple thing.
Memory	64GB DDR4-2667
Video Card(s)	AMD Radeon Pro 5600M, 8GB HBM2
Storage	1TB Apple NVMe, 4TB External
Display(s)	Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case	MacBook Pro (16", 2019)
Audio Device(s)	AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply	96w Power Adapter
Mouse	Logitech MX Master 3
Keyboard	Logitech G915, GL Clicky
Software	MacOS 12.1

Processor	Ryzen 7 5700X
Memory	48 GB
Video Card(s)	RTX 4080
Storage	2x HDD RAID 1, 3x M.2 NVMe
Display(s)	30" 2560x1600 + 19" 1280x1024
Software	Windows 10 64-bit

System Name	OrangeHaze / Silence
Processor	i7-13700KF / i5-10400 /
Motherboard	ROG STRIX Z690-E / MSI Z490 A-Pro Motherboard
Cooling	Corsair H75 / TT ToughAir 510
Memory	64Gb GSkill Trident Z5 / 32GB Team Dark Za 3600
Video Card(s)	Palit GeForce RTX 2070 / Sapphire R9 290 Vapor-X 4Gb
Storage	Hynix Plat P41 2Tb\Samsung MZVL21 1Tb / Samsung 980 Pro 1Tb
Display(s)	22" Dell Wide/24" Asus
Case	Lian Li PC-101 ATX custom mod / Antec Lanboy Air Black & Blue
Audio Device(s)	SB Audigy 7.1
Power Supply	Corsair Enthusiast TX750
Mouse	Logitech G502 Lightspeed Wireless / Logitech G502 Proteus Spectrum
Keyboard	K68 RGB — CHERRY® MX Red
Software	Win10 Pro \ RIP:Win 7 Ult 64 bit

System Name	Budget++
Processor	AMD FX-8370 Black Edition
Motherboard	MSI 970 GAMING, Socket-AM3+
Cooling	Cooler Master Hyper 212 EVO
Memory	Corsair Vengeance DDR3 1600MHz 8GB CL9
Video Card(s)	Gainward GeForce GTX 970 4GB
Storage	OCZ SSD Agility 3 Series 2.5" 120GB + Some shit 1TB hdd
Display(s)	BenQ XL2411Z
Case	Fractal Design Core 3000 Midi Tower
Audio Device(s)	NaN
Power Supply	Corsair CX 750M, 750W
Mouse	QPAD 5K Lasergrade mouse
Keyboard	Razer Blackwidow 2014
Software	Windows 7 - Ultimate 64-bit
Benchmark Scores	0/10