uhh.. I got hacked

Yesterday, In the morning my boss tell me to looking at the router. It blinks like it'll going to blow up. Something in our network use almost 60% of my bandwidth. I look around and see that network light on the acient small box on the floor blinks too. It's a secondhand computer from japan and I almost forget it.

On that box,I install dapper server,postfix,courier,mysql and use it as a mail server with no firewall. poor me. :(

This is first time I got hacked(as I know hah ha). I've no idea what to do first. I go to check /var/log/auth.log and found many ssh attack. 'who' give me two users online, me and test1[the hacker]. 'top' show that user test1 run tons of ssh-scan process. I can't remember that did I create that test1 user myself or the hacker do a dictionary attack, found my password then create test1 user. What I do at that time is restart computer, delete test1 user then create a firewall.

Then I go to ubuntuforums and found this thread. It look like my case and from his .bash_history look like the hacker going to /var/tmp, download a file.tgz that contain hiden directory 1.user 2.user ssh-scan... So I go back to check my box and here is what i found on my email server.

pnix@xxx:~$ ls -a /var/tmp
. .. fast .PA PA.tgz
pnix@xxx:~$ ls -a /var/tmp/.PA
. 191.20.pscan.22 191.83.pscan.22 217.20.pscan.22 gen-pass.sh pass_file pscan2 ssh-scan vuln.txt
.. 191.21.pscan.22 217.10.pscan.22 common go.sh pico ss start
pnix@xxx:~$ ls -a /var/tmp/fast
. 1.user 3.user checkmech fast go LinkEvents m.help m.lev m.ses .m.set.swp src
.. 2.user Andy.seen configure genuser httpd Makefile mkindex m.pid m.set r Vipuletz.seen

It's look almost the same files. On that thread many one said go to reinstall this box can't trust anymore. Yes, I agree but not now I will prepare the new one first with full secure as I can.

Since yesterday lunch until now there five or six attempts to attack my mail server. From many places include the test1 user[I know his ip address] but no success[my firewall's job not too bad]. :)


Saurav Shrestha said...

Wow! interesting. What does your company do? Did the hacker get anything?