machine hacked ...

[albertux]

hi friends, i have a problem at the time of entering the machine remotly with ssh ex.:

:~# ssh username@www.domain.cl

it appears the following error

:~# ssh_exchange_identification: Connection closed by remote host

I approached the machine to see what happened physically, and it surprised to me
that it could not either enter from the same machine, what it makes me think that they did
to crack to /etc/shadow and /etc/passwd files.

the problem is how entering to the machine because i not have the root user or another one ...

please i need help because this machine is a production server, with to much email account's and resellers, etc ....

ahhh.. the email accounts don't work, the reseller account either...

thank

i dont know resolve the problem .... the machine is a Gnu/Linux Debian 4.0 with all updates and ispconfig 2.2.14 like only resource...

[mlz]

Boot into single user mode, which automatically puts you in as root, then set your password with the passwd command.

[ebal]

you can always use a live cd
and then mount / chroot to your linux partition

but keep close a live cd (always helpful)

[albertux]

ok, but the problem is that two users only exist the root and ispconfig that they can modify this files, then can i to control the ispconfig user so that it does not have east permission???,

[till]

The ISPConfig user (admispconfig) can not modify /etc/passwd and I dont think that your server has been hacked through ISPConfig. You should use a rescue cd to start the server, mount the harddisk and have a look at /etc/passwd and /etc/shadow and check if the yare correupted, also check the syslog and auth.log what caused your SSH connection to fail. There are may other possible reasons, e.g. a full harddisk partition that has the same symptoms that you described.

[albertux]

it already fixes the problem, in any case what they did it was to modify the shadow, password, gshadow and group files, for that reason I think that it can have been through ispconfig server, because no other user has the possibility of modifying these files.

The other errors that appeared they were by the same problem, i solved the problem entering in single mode, and replacing the archives modified with those of backups old files, but now it appears in the name of session, to initiate the session in ssh for example, a messages as :

I have no name!@machinename:~$

I did not solve this problem yet ...

well my friend i will continue analyzing this and other problems and i'm writing them ... thank you for all the answers ...

greetings
albertux

[albertux]

the problem of ihavenoname! it was simple question of permissions to the files

grettings to all

[till]

Good to know that and thanks for reporting that back

[teveo1]

That is some coincidence... I had EXACTLY THE SAME HAPPEN 15TH OCTOBER...

I am now sitting and installing fedora core 6 and installing Pleask.. sorry but I need to feel safer..

I set up a catchall email on one of the webs, after the catchall was set NONE of my passwords worked.. could not ssh into it.. would not accept root user single mode... nothing nada... 120 km drive, get the box .. install FC6 ..

Too much of a coincidence? Could there be a problem with ispconfig security here?

[till]

There is no known problem with ISPConfig security. If you claim that there is a security problem, you should proove this and provide a bit more info.

Did you had a look at the logfiles and /etc/passwd and /etc/shadow?

And by the way, you forgot how many ISPConfig installations are out there. If 2 installations of several ten thousand have the same issue, it is statistical just a coincidence.