have I been hacked?

ahadley · n00b Joined: 08 Jan 2004 Posts: 45 Location: UK

Hi, I have a server which runs nothing but server things (i.e. no xorg or anything other than apache, mysql and so on.) It serves wesites to the wider world and so on.

I recently completely ran out of space so did a few du commands to find oput what has used it all... it was all being used up in /var/tmp/, not a supprise i guess so i checked in there.

However the directory using all the space was one called '...', and which was owned by distcc, group daemon. weird I thought. inside this directory was only one, also called '...', inside this one called 'user' then 'site'... ls in here gives:

ahadley · n00b Joined: 08 Jan 2004 Posts: 45 Location: UK

on closer inspection a load more stuff in here:

j-m · Retired Dev Joined: 31 Oct 2004 Posts: 975

ahadley · n00b Joined: 08 Jan 2004 Posts: 45 Location: UK

is there a less harsh solution... I dont have physical access as it is a server with a hosting company (though I have root access and the like)...

I can delete the whole '...' directory but how did they get in in the first place?

I do use distcc with a compile farm... and am concerned that this could have been compromised.
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein

z3ro · Apprentice Joined: 16 Jun 2004 Posts: 261

j-m · Retired Dev Joined: 31 Oct 2004 Posts: 975

z3ro · Apprentice Joined: 16 Jun 2004 Posts: 261

z3ro · Apprentice Joined: 16 Jun 2004 Posts: 261

ahadley · n00b Joined: 08 Jan 2004 Posts: 45 Location: UK

I will inform the hosting company (the compile farm is theres), and will back up and reinstall - a real pain but you lot are, of course, right... how could i trust it again!

The ssh passwords are very strong, so shouldnt be an issue. Need to work out what, if any passwords are hardcoded into config files I guess.

This is depressing! With IP tables, is there any reason why I need anything but 80, 110, 25, 22 and 21 open to non localhost? (those numbers are off the top of my head but are supposed to be www, pop, smtp, ssh, ftp)

As I say, very irritating - do people not have better things to do!

Thanks for all the REALLY fast replies and suggestions!
Alex
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein

ahadley · n00b Joined: 08 Jan 2004 Posts: 45 Location: UK

just to let you guys know, i have decided to shut the machine down now and call the company tomorrow to let them know and come to a solution! (as it is sunday so they are not open).

Thanks again, and i guess I will be a little slower and more calculated in setting it up this time.

Alex
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein

z3ro · Apprentice Joined: 16 Jun 2004 Posts: 261

j-m · Retired Dev Joined: 31 Oct 2004 Posts: 975

A few suggestions:

1. Disable SSHv1 if you have not done so yet.

2. Move SSH to another port (like 222, 2222) - this will stop script kiddies.

3. Disable root logons via SSH.

4. Disable password authentication, use keys and passphrases.

5. Limit logins via SSH to trusted IP addresses (use iptables) and trusted users only (if possible).

6. Emerge rkhunter and create MD5 checksums for the fresh install.

7. Use glsa-check regularly.

8. Use logwatch or similar tools.

Some relevant setting in /etc/ssh/sshd_config: