#1  
Old 22nd November 2010, 15:03
QPRWinst QPRWinst is offline
Junior Member
 
Join Date: Sep 2010
Posts: 22
Thanks: 3
Thanked 0 Times in 0 Posts
Default hacked?

Afternoon all

After a week off work, came in this morning and discovered that the administrator password had been changed on my server.

As i'm the only one with any Linux knowledge this is a bit worrying.

What I would like to know is what logs should I examine and where are they found?

My setup is based on the perfect ubuntu server 10.04.

Cheers
Reply With Quote
Sponsored Links
  #2  
Old 23rd November 2010, 15:59
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

Do you have fail2ban installed? If not, I strongly recommend to install it.

Also, please run chkrootkit and/or rkhunter to find out if there's malware installed on your computer.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 24th November 2010, 12:34
QPRWinst QPRWinst is offline
Junior Member
 
Join Date: Sep 2010
Posts: 22
Thanks: 3
Thanked 0 Times in 0 Posts
Default

hiya

yes fail2ban is installed, and chkrootkit reported all good. rkhunter came back with warnings but they all look good.

where would i find a ftp or ssh log? as if i was hacked that would be the access point i think. (have disabled wan access, allowing local access for now).
Reply With Quote
  #4  
Old 25th November 2010, 14:15
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

The logs are in the /var/log/ directory.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 26th November 2010, 12:02
QPRWinst QPRWinst is offline
Junior Member
 
Join Date: Sep 2010
Posts: 22
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Thanks for that.

Have looked through a load of logs but I cant find anything. Can't even find my own ssh logins?

Found a load of pureftpd log entries and all attempted connections were closed within the same second, but where do i find the ssh logins? if you could give me a file name to look for it would be appreciated.

Cheers
Reply With Quote
  #6  
Old 26th November 2010, 13:28
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

SSH sometimes logs to /vat/log/auth.log
Reply With Quote
  #7  
Old 27th November 2010, 07:49
lqman lqman is offline
Junior Member
 
Join Date: Jan 2009
Location: Indonesia
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to lqman
Default

I often check my "generic" log files
Quote:
/var/log/syslog
/var/log/messages
and "service-based" log files
Quote:
/var/log/mail.log
/var/log/daemon.log
especially this one
Quote:
tail -f /var/log/auth.log
Failed login to your host
Code:
cat /var/log/auth.log | grep Failed
Succesfull login to your host
Code:
cat /var/log/auth.log | grep Accept
you will surprised with bruteforce attack
__________________
Be Polite, Don't Be r00t
http://lqman.wordpress.com
Reply With Quote
  #8  
Old 27th November 2010, 10:02
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,158
Thanks: 4
Thanked 58 Times in 54 Posts
 
Default

if you're unsure whether you got hacked, then you have to resetup the machine again. You can't trust anything anymore on there.
__________________
"Common sense is not as common as commonly believed" by sjau

Auto-Install Script for ISPConfig and Horde on a Vanilla Debian Stable

Need more Repos for Ubuntu? Repository Generator
Need more Repos for Debian? Debian Repository Generator
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hELP WITH HACKED WEBSITE PLS spytron Server Operation 1 12th October 2009 17:29
My ISPConfig got hacked nsansari General 1 7th September 2009 14:01
Urgent need help my server is hacked !!!! zinovsky Server Operation 3 5th February 2009 18:23
Have I Been Hacked? :-o PierreQuebec Server Operation 11 8th April 2008 10:24
hacked by By BeLa & BodyguarD shajazzi HOWTO-Related Questions 2 26th April 2007 00:49


All times are GMT +2. The time now is 07:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.