Mario Luzeiro's picture

Hi,

I've just found that something very strange happens after I fount that some useres of my VM disapear.

Then I was looking into logs and a I found something related with:

passwd:chauthtok

in /var/log/auth.log

http://forum.slicehost.com/index.php?p=/discussion/1858/system-has-been-...

 

I traced the IP that changed and delete the users and it comes also form Romania.

What that mean? How can I protect my VM?

I my setup, I am only make public (internal port FW) the port 8080 but from the same log, I got that it was changed by the 55051 ssh2 port. :|

I dont know if I can revert back again my machine and what happen in the atack. I dont think that this was possible with linux :| any way :|

Forum: 
Mario Luzeiro's picture

Correction: I was also FW the port 22 :( to public..

Eric (tssgery)'s picture

Your system got compromised. I'd imagine that it was a brute force password attack on SSH but it could have been a different way

For a secure system, you should disable root logins via SSH. This means you'll need a non-privildged account with a very secure password or use ssh keys to authenticate (using ssh keys is more secure).

Reverting your machine back will be very difficult unless you have a backup from a time that you KNOW was before the attack. They could easily have left a back door in the system that would make an restoration futile.

 

As far as happening on Linux... of course it can. IMHO, the turnkey systems are not secure out of the box. You should harden them for anything facing the public. There are many web pages that document how to secure a debian system... follow those guides and you'll be far safer.

Add new comment