HACKED - what can they really do?

Discussion in 'Server Operation' started by craig baker, Jul 16, 2008.

  1. craig baker

    craig baker Member HowtoForge Supporter

    apparently someone used the admin directory of an oscommerce install to use file_manager and upload and run error.php which turns out to be webadmin.php, and they were able to view /etc/passwd!

    apart from blocking the ip address, and maybe changing passwords, what real damage could they do?
    they now know user account names, but /etc/shadow was not accessed.

    there were both GET and POSTs in the httpd access logs, so I'm not sure what they did in the POSTs of course. but doing a get on view?file=/etc/passwd is obviously concerning.

    whats your advice???
  2. falko

    falko Super Moderator ISPConfig Developer

    Knowing the usernames makes it easier to try brute-force attacks because now attackers don't have to guess usernames anymore. If your users have weak passwords I'd change them to something more secure immediately.
  3. craig baker

    craig baker Member HowtoForge Supporter

    this I knew

    brute force attacks I already am aware of - can I limit ssl logins to only certain accounts? they've been trying to guess passwords for ftp accounts already.
    they cant get at /etc/shadow so they cant get the encrypted pws.

  4. ralic

    ralic New Member

    Yes, edit your sshd_config file.
    Use AllowUsers directive to specify the accounts you want to allow ssh.

    e.g. (Add to bottom of file if not already present)
    AllowUsers user1 user2 user3

    Dont forget to restart the sshd service.

    You might also want to look into something like fail2ban with permanent bans and low retry values to delay their attacks and give you time to assess the situation further.

Share This Page