Ubuntu server hacked. Recovering
I was cyber-attacked by someone from China and they managed to install Yam (crypto mining) on my Ubuntu 14.04 server.
I managed to close their ssh access through the public IP. and I have remedied the damage they did. Except for two things that have me confused still.
1- I can not edit /etc/rc.local from root. they have a script in there to adduser 'setup' with root permissions. I cant edit the script although it is owned by root and has the permission. I get permission denied. I can edit other files so the filesystem is not read only.
2- Every time I log in via ssh, I get the welcome message, then "You have mail" followed by a huge number of permission denied errors like this:
You have mail.
find: `/var/log/speech-dispatcher': Permission denied
find: `/var/log/samba/cores': Permission denied
-bash: /var/log/Xorg.1.log.old: Permission denied
-bash: /var/log/apache2/error.log.43.gz: Permission denied
-bash: /var/log/apache2/error.log.14.gz: Permission denied
-bash: /var/log/apache2/access.log.44.gz: Permission denied
-bash: /var/log/apache2/error.log.13.gz: Permission denied
-bash: /var/log/apache2/crm65.com-access_log: Permission denied
-bash: /var/log/apache2/access.log.9.gz: Permission denied
-bash: /var/log/apache2/error.log.36.gz: Permission denied
-bash: /var/log/apache2/error.log.16.gz: Permission denied
-bash: /var/log/apache2/error.log.11.gz: Permission denied
-bash: /var/log/apache2/testcrm-error.log: Permission denied
-bash: /var/log/apache2/error.log.46.gz: Permission denied
-bash: /var/log/apache2/error.log.18.gz: Permission denied
-bash: /var/log/apache2/access.log.45.gz: Permission denied
-bash: /var/log/apache2/access.log.34.gz: Permission denied
-bash: /var/log/apache2/vtigercrm-access.log: Permission denied
.
.
it basically goes through the whole /var/log directory.
I am not sure what is happening there.
ANY help is appreciated!
14.04 ssh hacking
add a comment |
I was cyber-attacked by someone from China and they managed to install Yam (crypto mining) on my Ubuntu 14.04 server.
I managed to close their ssh access through the public IP. and I have remedied the damage they did. Except for two things that have me confused still.
1- I can not edit /etc/rc.local from root. they have a script in there to adduser 'setup' with root permissions. I cant edit the script although it is owned by root and has the permission. I get permission denied. I can edit other files so the filesystem is not read only.
2- Every time I log in via ssh, I get the welcome message, then "You have mail" followed by a huge number of permission denied errors like this:
You have mail.
find: `/var/log/speech-dispatcher': Permission denied
find: `/var/log/samba/cores': Permission denied
-bash: /var/log/Xorg.1.log.old: Permission denied
-bash: /var/log/apache2/error.log.43.gz: Permission denied
-bash: /var/log/apache2/error.log.14.gz: Permission denied
-bash: /var/log/apache2/access.log.44.gz: Permission denied
-bash: /var/log/apache2/error.log.13.gz: Permission denied
-bash: /var/log/apache2/crm65.com-access_log: Permission denied
-bash: /var/log/apache2/access.log.9.gz: Permission denied
-bash: /var/log/apache2/error.log.36.gz: Permission denied
-bash: /var/log/apache2/error.log.16.gz: Permission denied
-bash: /var/log/apache2/error.log.11.gz: Permission denied
-bash: /var/log/apache2/testcrm-error.log: Permission denied
-bash: /var/log/apache2/error.log.46.gz: Permission denied
-bash: /var/log/apache2/error.log.18.gz: Permission denied
-bash: /var/log/apache2/access.log.45.gz: Permission denied
-bash: /var/log/apache2/access.log.34.gz: Permission denied
-bash: /var/log/apache2/vtigercrm-access.log: Permission denied
.
.
it basically goes through the whole /var/log directory.
I am not sure what is happening there.
ANY help is appreciated!
14.04 ssh hacking
1
Related I think I've been hacked, what can I do? and from there How do I deal with a compromised server? over on Server Fault.
– PerlDuck
10 hours ago
add a comment |
I was cyber-attacked by someone from China and they managed to install Yam (crypto mining) on my Ubuntu 14.04 server.
I managed to close their ssh access through the public IP. and I have remedied the damage they did. Except for two things that have me confused still.
1- I can not edit /etc/rc.local from root. they have a script in there to adduser 'setup' with root permissions. I cant edit the script although it is owned by root and has the permission. I get permission denied. I can edit other files so the filesystem is not read only.
2- Every time I log in via ssh, I get the welcome message, then "You have mail" followed by a huge number of permission denied errors like this:
You have mail.
find: `/var/log/speech-dispatcher': Permission denied
find: `/var/log/samba/cores': Permission denied
-bash: /var/log/Xorg.1.log.old: Permission denied
-bash: /var/log/apache2/error.log.43.gz: Permission denied
-bash: /var/log/apache2/error.log.14.gz: Permission denied
-bash: /var/log/apache2/access.log.44.gz: Permission denied
-bash: /var/log/apache2/error.log.13.gz: Permission denied
-bash: /var/log/apache2/crm65.com-access_log: Permission denied
-bash: /var/log/apache2/access.log.9.gz: Permission denied
-bash: /var/log/apache2/error.log.36.gz: Permission denied
-bash: /var/log/apache2/error.log.16.gz: Permission denied
-bash: /var/log/apache2/error.log.11.gz: Permission denied
-bash: /var/log/apache2/testcrm-error.log: Permission denied
-bash: /var/log/apache2/error.log.46.gz: Permission denied
-bash: /var/log/apache2/error.log.18.gz: Permission denied
-bash: /var/log/apache2/access.log.45.gz: Permission denied
-bash: /var/log/apache2/access.log.34.gz: Permission denied
-bash: /var/log/apache2/vtigercrm-access.log: Permission denied
.
.
it basically goes through the whole /var/log directory.
I am not sure what is happening there.
ANY help is appreciated!
14.04 ssh hacking
I was cyber-attacked by someone from China and they managed to install Yam (crypto mining) on my Ubuntu 14.04 server.
I managed to close their ssh access through the public IP. and I have remedied the damage they did. Except for two things that have me confused still.
1- I can not edit /etc/rc.local from root. they have a script in there to adduser 'setup' with root permissions. I cant edit the script although it is owned by root and has the permission. I get permission denied. I can edit other files so the filesystem is not read only.
2- Every time I log in via ssh, I get the welcome message, then "You have mail" followed by a huge number of permission denied errors like this:
You have mail.
find: `/var/log/speech-dispatcher': Permission denied
find: `/var/log/samba/cores': Permission denied
-bash: /var/log/Xorg.1.log.old: Permission denied
-bash: /var/log/apache2/error.log.43.gz: Permission denied
-bash: /var/log/apache2/error.log.14.gz: Permission denied
-bash: /var/log/apache2/access.log.44.gz: Permission denied
-bash: /var/log/apache2/error.log.13.gz: Permission denied
-bash: /var/log/apache2/crm65.com-access_log: Permission denied
-bash: /var/log/apache2/access.log.9.gz: Permission denied
-bash: /var/log/apache2/error.log.36.gz: Permission denied
-bash: /var/log/apache2/error.log.16.gz: Permission denied
-bash: /var/log/apache2/error.log.11.gz: Permission denied
-bash: /var/log/apache2/testcrm-error.log: Permission denied
-bash: /var/log/apache2/error.log.46.gz: Permission denied
-bash: /var/log/apache2/error.log.18.gz: Permission denied
-bash: /var/log/apache2/access.log.45.gz: Permission denied
-bash: /var/log/apache2/access.log.34.gz: Permission denied
-bash: /var/log/apache2/vtigercrm-access.log: Permission denied
.
.
it basically goes through the whole /var/log directory.
I am not sure what is happening there.
ANY help is appreciated!
14.04 ssh hacking
14.04 ssh hacking
asked 10 hours ago
SamSam
112
112
1
Related I think I've been hacked, what can I do? and from there How do I deal with a compromised server? over on Server Fault.
– PerlDuck
10 hours ago
add a comment |
1
Related I think I've been hacked, what can I do? and from there How do I deal with a compromised server? over on Server Fault.
– PerlDuck
10 hours ago
1
1
Related I think I've been hacked, what can I do? and from there How do I deal with a compromised server? over on Server Fault.
– PerlDuck
10 hours ago
Related I think I've been hacked, what can I do? and from there How do I deal with a compromised server? over on Server Fault.
– PerlDuck
10 hours ago
add a comment |
1 Answer
1
active
oldest
votes
rc.local was set to immutable by the hacker.
Used chattr to change the file attributes and I was able to edit it.
As for the permission denied errors upon login, the hacker inserted lines into the motd scripts to delete log files to hide any trace of his yam program. removing those lines resolved the problem.
I hope that helps anyone with a similar problem.
I recommend you edit your ssh/iptables to allow only certain IPs to log in via ssh to avoid such problem, I learned the hard way.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1117989%2fubuntu-server-hacked-recovering%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
rc.local was set to immutable by the hacker.
Used chattr to change the file attributes and I was able to edit it.
As for the permission denied errors upon login, the hacker inserted lines into the motd scripts to delete log files to hide any trace of his yam program. removing those lines resolved the problem.
I hope that helps anyone with a similar problem.
I recommend you edit your ssh/iptables to allow only certain IPs to log in via ssh to avoid such problem, I learned the hard way.
add a comment |
rc.local was set to immutable by the hacker.
Used chattr to change the file attributes and I was able to edit it.
As for the permission denied errors upon login, the hacker inserted lines into the motd scripts to delete log files to hide any trace of his yam program. removing those lines resolved the problem.
I hope that helps anyone with a similar problem.
I recommend you edit your ssh/iptables to allow only certain IPs to log in via ssh to avoid such problem, I learned the hard way.
add a comment |
rc.local was set to immutable by the hacker.
Used chattr to change the file attributes and I was able to edit it.
As for the permission denied errors upon login, the hacker inserted lines into the motd scripts to delete log files to hide any trace of his yam program. removing those lines resolved the problem.
I hope that helps anyone with a similar problem.
I recommend you edit your ssh/iptables to allow only certain IPs to log in via ssh to avoid such problem, I learned the hard way.
rc.local was set to immutable by the hacker.
Used chattr to change the file attributes and I was able to edit it.
As for the permission denied errors upon login, the hacker inserted lines into the motd scripts to delete log files to hide any trace of his yam program. removing those lines resolved the problem.
I hope that helps anyone with a similar problem.
I recommend you edit your ssh/iptables to allow only certain IPs to log in via ssh to avoid such problem, I learned the hard way.
edited 3 hours ago
answered 4 hours ago
SamSam
112
112
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1117989%2fubuntu-server-hacked-recovering%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Related I think I've been hacked, what can I do? and from there How do I deal with a compromised server? over on Server Fault.
– PerlDuck
10 hours ago