#1  
Old 11th October 2007, 18:22
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default machine hacked ...

hi friends, i have a problem at the time of entering the machine remotly with ssh ex.:

:~# ssh username@www.domain.cl

it appears the following error

:~# ssh_exchange_identification: Connection closed by remote host

I approached the machine to see what happened physically, and it surprised to me
that it could not either enter from the same machine, what it makes me think that they did
to crack to /etc/shadow and /etc/passwd files.

the problem is how entering to the machine because i not have the root user or another one ...

please i need help because this machine is a production server, with to much email account's and resellers, etc ....

ahhh.. the email accounts don't work, the reseller account either...

thank

i dont know resolve the problem .... the machine is a Gnu/Linux Debian 4.0 with all updates and ispconfig 2.2.14 like only resource...

Last edited by albertux; 11th October 2007 at 18:41.
Reply With Quote
Sponsored Links
  #2  
Old 11th October 2007, 19:56
mlz mlz is offline
Senior Member
 
Join Date: Dec 2006
Posts: 189
Thanks: 16
Thanked 9 Times in 9 Posts
Default

Boot into single user mode, which automatically puts you in as root, then set your password with the passwd command.
Reply With Quote
  #3  
Old 11th October 2007, 20:48
ebal ebal is offline
Member
 
Join Date: Aug 2007
Posts: 36
Thanks: 0
Thanked 2 Times in 2 Posts
Default

you can always use a live cd
and then mount / chroot to your linux partition

but keep close a live cd (always helpful)
__________________
http://ebalaskas.gr/wiki
Reply With Quote
  #4  
Old 11th October 2007, 21:01
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default

ok, but the problem is that two users only exist the root and ispconfig that they can modify this files, then can i to control the ispconfig user so that it does not have east permission???,
Reply With Quote
  #5  
Old 12th October 2007, 11:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,413
Thanks: 834
Thanked 5,498 Times in 4,328 Posts
Default

The ISPConfig user (admispconfig) can not modify /etc/passwd and I dont think that your server has been hacked through ISPConfig. You should use a rescue cd to start the server, mount the harddisk and have a look at /etc/passwd and /etc/shadow and check if the yare correupted, also check the syslog and auth.log what caused your SSH connection to fail. There are may other possible reasons, e.g. a full harddisk partition that has the same symptoms that you described.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 12th October 2007, 15:44
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default

it already fixes the problem, in any case what they did it was to modify the shadow, password, gshadow and group files, for that reason I think that it can have been through ispconfig server, because no other user has the possibility of modifying these files.

The other errors that appeared they were by the same problem, i solved the problem entering in single mode, and replacing the archives modified with those of backups old files, but now it appears in the name of session, to initiate the session in ssh for example, a messages as :

I have no name!@machinename:~$

I did not solve this problem yet ...

well my friend i will continue analyzing this and other problems and i'm writing them ... thank you for all the answers ...

greetings
albertux
Reply With Quote
  #7  
Old 16th October 2007, 16:51
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default

the problem of ihavenoname! it was simple question of permissions to the files

grettings to all
Reply With Quote
  #8  
Old 16th October 2007, 16:56
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,413
Thanks: 834
Thanked 5,498 Times in 4,328 Posts
Default

Good to know that and thanks for reporting that back
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 16th October 2007, 21:59
teveo1 teveo1 is offline
Junior Member
 
Join Date: Mar 2007
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

That is some coincidence... I had EXACTLY THE SAME HAPPEN 15TH OCTOBER...

I am now sitting and installing fedora core 6 and installing Pleask.. sorry but I need to feel safer..

I set up a catchall email on one of the webs, after the catchall was set NONE of my passwords worked.. could not ssh into it.. would not accept root user single mode... nothing nada... 120 km drive, get the box .. install FC6 ..

Too much of a coincidence? Could there be a problem with ispconfig security here?
Reply With Quote
  #10  
Old 16th October 2007, 22:12
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,413
Thanks: 834
Thanked 5,498 Times in 4,328 Posts
 
Default

There is no known problem with ISPConfig security. If you claim that there is a security problem, you should proove this and provide a bit more info.

Did you had a look at the logfiles and /etc/passwd and /etc/shadow?

And by the way, you forgot how many ISPConfig installations are out there. If 2 installations of several ten thousand have the same issue, it is statistical just a coincidence.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Copy compiled php5 to another machine cooljai Installation/Configuration 4 11th October 2007 16:15
Migration from a virtual machine to physical sonoffett Technical 3 15th September 2007 16:09
How to connect to a Linux machine using VB rocket1356 Programming/Scripts 4 24th June 2007 19:48
connecting to windows machine sudha General 0 29th January 2007 13:38
I cannot resolve www.example.com on the local machine braakiss Installation/Configuration 5 12th January 2007 15:58


All times are GMT +2. The time now is 12:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.