Help! Server hacked, root renamed
Posted: Fri Dec 23, 2016 7:59 pm
My server was hacked .. probably within the last 10 days.
The hacker logged in from an IP owned by Digital ocean -- which I have reported them with logs.
https://twitter.com/Superhit_in/status/ ... 4782523392
1. the hacker somehow entered into my server
2. changed just the 'root' user name to something else... in the /etc/passwd file as well as changed it's password.
3. added an account in the server
I think thats it..
I saw it in 'last' command
and root's history file
===========
What I did to recover
1. i did a rescue boot from the VPs's admin panel -- with emergency root access
2. changed the 1st user name in the /etc/passwd into root again..
3. reboot the vps and it worked
..
..
4. changed all account passwords.. from VEtacp.. with no login
THEn I did a maldet scan .. found couple of threatening files.... which I deleted immediately.
One of the uploaded file by the hacker -- I copied into pastebin at http://pastebin.com/ddeQS8wD
** There are 2 lines of base64 encoded codes in the file.. BUT not sure the intention of this.
Can someone experienced please look and elaborate on this?
ALSO, please suggest me possible locations where the hacker may have left backdoor?
ssh keys, etc.
I want to refresh all ssh keys/expire all keys .. if there is a way.
regards
Bg
The hacker logged in from an IP owned by Digital ocean -- which I have reported them with logs.
https://twitter.com/Superhit_in/status/ ... 4782523392
1. the hacker somehow entered into my server
2. changed just the 'root' user name to something else... in the /etc/passwd file as well as changed it's password.
3. added an account in the server
I think thats it..
I saw it in 'last' command
and root's history file
===========
What I did to recover
1. i did a rescue boot from the VPs's admin panel -- with emergency root access
2. changed the 1st user name in the /etc/passwd into root again..
3. reboot the vps and it worked
..
..
4. changed all account passwords.. from VEtacp.. with no login
THEn I did a maldet scan .. found couple of threatening files.... which I deleted immediately.
One of the uploaded file by the hacker -- I copied into pastebin at http://pastebin.com/ddeQS8wD
** There are 2 lines of base64 encoded codes in the file.. BUT not sure the intention of this.
Can someone experienced please look and elaborate on this?
ALSO, please suggest me possible locations where the hacker may have left backdoor?
ssh keys, etc.
I want to refresh all ssh keys/expire all keys .. if there is a way.
regards
Bg