I help administer a Turnkey Ubuntu LAMP applicance, installed as a virtual machine, and it has been cracked. The intruder gained access via keyboard interactive ssh. The passwords were fairly complex. I'm guessing he compromised ssh somehow so that he did not need a password. I've disabled the account name used in the attack (and all others).
These daemons were running: oidentd and eggdrop (might have been eggdrop2). These I killed in a hurry before trying to gather info. There was also an ftp daemon that I killed. There is no baseline of checksums after the initial install and subsequent scheduled updates (AFAIK), but the md5sum of /usr/sbin/sshd matches one published md5sum that I've seen, so I think it is clean.
Here is a truncated list of what was logged by the package manager at the time of the breach:
install make <none> 3.81-7ubuntu1
install binutils <none> 2.20.1-3ubuntu7.1
install libgomp1 <none> 4.4.3-4ubuntu5.1
install gcc-4.4 <none> 4.4.3-4ubuntu5.1
install gcc <none> 4:4.4.3-1ubuntu1
update-alternatives: run with --quiet --install /usr/bin/cc cc /usr/bin/gcc 20 --slave /usr/share/man/man1/cc.1.gz cc.1.gz /usr/share/man/man1/gcc.1.gz
update-alternatives: run with --quiet --install /usr/bin/c89 c89 /usr/bin/c89-gcc 20 --slave /usr/share/man/man1/c89.1.gz c89.1.gz /usr/share/man/man1/c89-gcc.1.gz
update-alternatives: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz
install oidentd <none> 2.0.8-3
install ftp <none> 0.17-19build1
update-alternatives: run with --install /usr/bin/ftp ftp /usr/bin/netkit-ftp 100 --slave /usr/share/man/man1/ftp.1.gz ftp.1.gz /usr/share/man/man1/netkit-ftp.1.gz
Does anything jump out at you in the above list that would not be included in Turnkey's LAMP appliance? Should I remove everything with apt-get? I've already rm'd netkit-ftp, odident, and ftp. tcl was also installed, but i did not remove it. I'm afraid removing tcl might break something on the appliance.
Is there a published baseline of md5sums for the components in TurnkeyLinux appliances? Any advice on how to proceed would be appreciated.