Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > hacked via brute force sshd ?


hacked via brute force sshd ?




Posted by simmer14, 05-05-2013, 06:18 AM
hello someone is trying to hack my vps via sshd bruteforce method.. i noticed it when the attack started.. i banned all the ip's and hosts vis ip tables.. and i also changed the ssh default port,but last night i was not able to login via ssh i was getting password wrong message i was shocked.. in the logs i find out that the password was changed to chauthtok by pam_unix and i was not able to change my root passoword via vps control panel and ssh.. then i rebuild the slice and changed the root pass and after few minutes the root password got changed again by pam_unix to chauthtok no user logged in as root and no user was created or granted root permissions but i'm very suspicious that the slice has been compromised...
Posted by Geekahost, 05-05-2013, 10:02 AM
Is your root password good enough to begin with? You should set a good password and possibly move ssh to a different port to prevent this.
Posted by richardhay, 05-05-2013, 10:12 AM
If the password was changed a second time after you rebuilt the slice, then you've been hacked and your system isn't secure. The _only_ safe thing to do at this point would be to reinstall your O/S and then rebuild your hosting content files/databases from backup. There simply isn't a way to know what all was done when the malicious user got into your system. As an aside, this sounds a lot like a rootkit that was going around a few months ago. You can read more about the rootkit and how to test for it at the (extremely lengthy) thread here: http://www.webhostingtalk.com/showthread.php?t=1235797 However, again, at this point, your only move would be to reinstall the O/S. Richard
Posted by rocketsciense, 05-05-2013, 10:16 AM
hello change your SSHD port and this will stop connecting on default port
Posted by simmer14, 05-05-2013, 10:30 AM
guys i changed the sshd port and even reinstalled the OS.. now i have requested the webhost to provide me a new slice
Posted by Geekahost, 05-05-2013, 10:33 AM
If by "slice" you mean a VPS, then reinstalling the OS is equivalent to having a "new slice".
Posted by Infinitnet, 05-05-2013, 10:37 AM
To prevent this in the future, you should use something like fail2ban or CSF/LFD or simply use another root password than "password123". If you include lower case, upper case, numbers and special chars, chances are more than low that anyone could bruteforce it in a life time.
Posted by simmer14, 05-05-2013, 11:48 AM
i reinstalled it.. first i installed debian.. and then again cent os 6 the result was same the host is saying that the main server is secure so i had no other option.. btw i just recieved my new vps information i will install fail2ban on it for sure.. thanks for all the help guys.. really appreciate it..
Posted by simmer14, 05-05-2013, 10:54 PM
guys i'm in trouble again .. May 6 04:24:35 server1 passwd: pam_unix(passwd:chauthtok): password changed for root by ip 180.96.23.74 guys that ip is originating from china.. how my new ip get there ? well now i know how.. i downloaded a torrent from a chinese tracker and my ip must have been disclosed by the torrent i was downloading.. now i rebuild my vps again but the password keep getting changed he is hacking it 24/7 if i'll ban this ip then brute force will come from so many ip's what should i do ?
Posted by simmer14, 05-05-2013, 11:04 PM
log it is an automated script i guess..
Posted by WKDedi, 05-05-2013, 11:34 PM
This raises a question? Is it your server that is getting hacked by brute force or is the pc you are using hacked? Password length is more important than complexity. The longer it is the longer it takes to hack it. Use a phrase for your password using numbers and letters (UPPER and lower) and include some symbols. If you suck at password creation you can use this link http://www.pctools.com/guides/passwo.../download.html also free. It keeps keyloggers from getting your username and password by not putting it on the clipboard and allows for auto-fill and you only need to remember one password verses one for each login. The best part is that it has it's own built in customizable password generator. Just remember to back it up. Nothing to install and will run from a usb drive. Comes in allot of OS flavors to choose from. The reason that they say to change your password every 45 days is so that if the password hash file is stolen via a virus or other mal-ware. They then hit this file until the password is reveled by hashing words and others like dictionary words and then comparing. This is becoming the more popular way. Brute force works but takes more time and energy and in most cases is noticed. Password hash cracking is not noticed until they have cracked it and compromised your system. Hope this helps out. Getting hacked sucks!!
Posted by WKDedi, 05-05-2013, 11:44 PM
Sorry I forgot about the firewall. Make sure you have your firewall settings correct. Any port you don't need open set it to deny/ block, deny/ block will drop the traffic and reject will reply back that the port is closed so since they got a reply they keep hitting it.
Posted by simmer14, 05-06-2013, 12:44 AM
i highly doubt that my system has been compromised because everything is updated.. flash was never enabled.. public java applets were never run on my machine.. the only private java applet which was run on this machine was webmin filemanager java applet.. i just scanned my machine in safe mode and regular mode with avg internet security.. i never install anything cracked or anything like that i will be shocked if my machine is compromised.. i think this attack is automated running on many servers.. current log is attached.. bro can u secure my vps i can pm u my vps details please reply or pm me if u have free time.. regards sim Attached Files log.txt (103.3 KB, 53 views)
Posted by simmer14, 05-06-2013, 12:49 AM
hello i did not mean brute force but i don't know what to call it.. failed attempts may be ? i can clearly see those ip's making failed attempts and succeding after few tries.. the problem is that,this attack is running constantly on my vps even when i rebuild and install webmin and check logs i saw passwd changed there... i have blocked those by csf but i'm still not sure if anyone is just willing to help then i can pm my vps details to him..
Posted by WKDedi, 05-06-2013, 01:08 AM
I know a guy that is great at penetration issues and have forwarded him this link. Not sure if he is available now or not.
Posted by tuxandrew, 05-06-2013, 02:12 AM
Hey, Did you checked what version of ssh was used?. Recently I faced similar problem with older versions of OpenSSH, the password keep hacked every time and it was revealed in a text file under SSH folders, it was very difficult to get other clues regarding the attempt, I reinstalled the SSH version to one of the latest versions fixed the problem.
Posted by simmer14, 05-06-2013, 11:00 AM
it's the latest version..
Posted by Geekahost, 05-06-2013, 05:52 PM
So have you actually changed your root password to a more complex one?
Posted by simmer14, 05-07-2013, 12:31 AM
yes i have.. i sent the vps details to WKDedi now let's see what he says..
Posted by simmer14, 05-07-2013, 01:16 AM
guys yesterday was my exam of Core Java So i was not able to come online.. as WKdedi tell me to change the os i just installed Debian 6 64bit and i do not see anything with lastb..
Posted by RRWH, 05-07-2013, 01:55 AM
Simple solution is to only allow SSH access from your IP and deny everything else - so even if someone gets the password, they cannot use it.
Posted by tuxandrew, 05-07-2013, 03:03 AM
Which Linux distribution are you using? It would be better to upgrade the OpenSSH to version6 with latest patch, if it using a lesser one. In most cases(in shared servers) the culprit is not an outsider who trying to crack the root password, it would be probably an account/hacker who already gained access, probability with a script or any keys(may be,not sure ) doing this. The only way we can save the servers from this kind of hazards by doing proactive audits once in week with auditing softwares available to ensure that the server is clean. It would be better to run a server wide malware scans in very week. These kind of auditing techniques will help us to find, backdoors/malicious file/culprit scripts etc hidden in the server.
Posted by Infinitnet, 05-07-2013, 03:24 AM
This could get annoying with a dynamic IP and the user wouldn't be able to connect from other locations as well or use rsync. I think it would be easier to disable password based logins completely and only use SSH keys.
Posted by brianoz, 05-07-2013, 07:39 AM
As a couple of people are saying, this has to be someone with some form of access already to either your PC or slice. This means they have compromised your PC, your network, or your slice. Or even the host the slice runs on, though that's unlikely. Either your password is being sniffed when you change it, or it's being stolen via an existing compromise on the slice. Check out the sshd libkeyutil hack - you could be connecting from something that is hacked. It can't be password guessing as it's too quick. I'd firewall off your SSH to only connect to your ISP or area, which should give you time to work out the issue. If your new slice gets compromised quickly, it's gotta be whatever you use to connect.
Posted by simmer14, 05-07-2013, 01:55 PM
for those guys who are saying that my pc is compromised .. well it is not i monitor every outgoing connection of my computer.. no hack crack stuff nothing like that which could bring trojans and stuff.. java is latest.. adobeflash is always enabled.. the thing is when i installed Debian 6 this morning and left my vps on till now and i did not see any login attempt on my vps.. i though i'm through this attack and the guy has moved on.. but this is an automated attack.. i just installed Cent OS and woila after 3 minutes.. i saw 4 unsucessfull ateempts and in 5th attempt my pass was changed... well this time not even a fujing alien race could crack my pass it was very long and all alpha numeric characters.. so they are stealing the pass by some technique.. i'm letting my host know about this..
Posted by simmer14, 05-07-2013, 02:42 PM
guys to be honest there is a private exploit or technique to do this.. for now i have switched to debian Cent OS is not secured.. please spread the word.. my hosting provider also confirms this.. one you are under attack you can't even reinstall your OS because the attack runs 24/7 from multiple machines.. well i'm keeping a close eye on this situation.. i really appreciate the replies you guys posted in this thread..
Posted by Geekahost, 05-07-2013, 08:11 PM
I run 20+ VPS on Centos 6.x with zero issues... Maybe there's a reason why your VPS is a target? I would do the following: 1. Update the OS: 2. Make sure protocol version 1 is disabled in /etc/ssh/sshd_config: 3. Re-create keys: If the hack repeats after this, then I would be very curious to know more about this exploit
Posted by simmer14, 05-07-2013, 11:26 PM
http://www.webhostingtalk.com/showthread.php?p=8675879


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Port scanning issues (Views: 732)
Platinum Server Management Introduces Mini Helpdesk, Connects with Mobile Users (Views: 760)
Reseller Hosting Question (Views: 748)
hot to number the pages in the result..? (Views: 682)
Intel or AMD (Views: 702)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.