HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   machine hacked ... (http://www.howtoforge.com/forums/showthread.php?t=16164)

albertux 11th October 2007 18:22

machine hacked ...
 
hi friends, i have a problem at the time of entering the machine remotly with ssh ex.:

:~# ssh username@www.domain.cl

it appears the following error

:~# ssh_exchange_identification: Connection closed by remote host

I approached the machine to see what happened physically, and it surprised to me
that it could not either enter from the same machine, what it makes me think that they did
to crack to /etc/shadow and /etc/passwd files.

the problem is how entering to the machine because i not have the root user or another one ...

please i need help because this machine is a production server, with to much email account's and resellers, etc ....

ahhh.. the email accounts don't work, the reseller account either...

thank :confused: :confused:

i dont know resolve the problem .... the machine is a Gnu/Linux Debian 4.0 with all updates and ispconfig 2.2.14 like only resource...

mlz 11th October 2007 19:56

Boot into single user mode, which automatically puts you in as root, then set your password with the passwd command.

ebal 11th October 2007 20:48

you can always use a live cd
and then mount / chroot to your linux partition

but keep close a live cd (always helpful)

albertux 11th October 2007 21:01

ok, but the problem is that two users only exist the root and ispconfig that they can modify this files, then can i to control the ispconfig user so that it does not have east permission???,

till 12th October 2007 11:00

The ISPConfig user (admispconfig) can not modify /etc/passwd and I dont think that your server has been hacked through ISPConfig. You should use a rescue cd to start the server, mount the harddisk and have a look at /etc/passwd and /etc/shadow and check if the yare correupted, also check the syslog and auth.log what caused your SSH connection to fail. There are may other possible reasons, e.g. a full harddisk partition that has the same symptoms that you described.

albertux 12th October 2007 15:44

it already fixes the problem, in any case what they did it was to modify the shadow, password, gshadow and group files, for that reason I think that it can have been through ispconfig server, because no other user has the possibility of modifying these files.

The other errors that appeared they were by the same problem, i solved the problem entering in single mode, and replacing the archives modified with those of backups old files, but now it appears in the name of session, to initiate the session in ssh for example, a messages as :

I have no name!@machinename:~$

I did not solve this problem yet ...

well my friend i will continue analyzing this and other problems and i'm writing them ... thank you for all the answers ...

greetings
albertux

albertux 16th October 2007 16:51

the problem of ihavenoname! it was simple question of permissions to the files :)

grettings to all

till 16th October 2007 16:56

Good to know that and thanks for reporting that back :)

teveo1 16th October 2007 21:59

That is some coincidence... I had EXACTLY THE SAME HAPPEN 15TH OCTOBER...

I am now sitting and installing fedora core 6 and installing Pleask.. sorry but I need to feel safer..

I set up a catchall email on one of the webs, after the catchall was set NONE of my passwords worked.. could not ssh into it.. would not accept root user single mode... nothing nada... 120 km drive, get the box .. install FC6 ..

Too much of a coincidence? Could there be a problem with ispconfig security here?

till 16th October 2007 22:12

There is no known problem with ISPConfig security. If you claim that there is a security problem, you should proove this and provide a bit more info.

Did you had a look at the logfiles and /etc/passwd and /etc/shadow?

And by the way, you forgot how many ISPConfig installations are out there. If 2 installations of several ten thousand have the same issue, it is statistical just a coincidence.


All times are GMT +2. The time now is 08:33.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.