This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

ubuntu 10.04.3 LTS got hacked after last night ubuntu update!

5 posts / 0 new

Topic locked

Last post

#1 Thu, 08/11/2011 - 13:36

chiareu

ubuntu 10.04.3 LTS got hacked after last night ubuntu update!

Hi, last night I updated my server from Webmin Interface with latest Ubuntu updates listed on Webmin homepage.

I restarted, verify the working, all was OK and got to sleep.... In the morning when I tried to access the webmin interface, the server did not respond to https request... So started putty to access the SSH console. Surprise !!!! my password was changed. f..k what... I tried to got to the server by physical IP [http://xxx.xxx.xxx.xxx/] and surprise again :) some chinese under construction webpage :)) f..k again.

obs: I don't know if this has something in common with latest updates I have been made, or is just a coincidence.

So I go to the data-center and restart the server in recovery mode and reset the users passwd. Reboot.... and got this message:

<-- apache2: could not start reliably determine the server's fully qualified domain name, using xxx.xxx.xxx.xxx for ServerName

Rather than invoking init scripts through /etc/init.d, use the utility, e.g. service S99cron start

Since the script you are attempting to invoke has been converted to an UpStart job, you may also use the start(8) utility, e.g. start: S99cron start: Unknown job: S99cron

Ubuntu 10.04.3 LTS xxhostnamexx tty1 -->

Anybody have encountered something like that? Any advice? Thanks.

#2 Thu, 08/11/2011 - 13:46

andreychek

Howdy,

So was your root account compromised? Or was it one of your users?

The root account being compromised is a bit more trouble... without knowing what all they may have changed, it's difficult to know if they've truly been locked out of the system.

OTOH, if it was a user account that was compromised... that's unfortunately somewhat common. There's bots searching the Internet for vulnerable web apps, and breaking into them when they're found. It's possible a vulnerable web app was found on one of your users accounts.

As far as the messages you saw on the console -- if those services are starting up, chances are that those warnings were appearing for awhile now. They may just go unnoticed until someone views the console.

-Eric

#3 Thu, 08/11/2011 - 14:39 (Reply to #2)

chiareu

Hi Eric, Yep with the console message is possible, but what is strange is that there is an " Unknown job" I'll verify the job.

Regarding the user, my admin account was corrupted. Now I check the Auth error log and find pages of auth errors, different user names all from 4 IP. I found IP reported also at DShied.org

3 of them tty=dovecot 1, tty=mysql

strange that I didn't find anything over SSHD. posible that the hacker who has succeeded, has deleted his logs :))) and leaves the noob's logs

Anyway, there is some tool to block IP after a number of error logs?

Thanks

#4 Thu, 08/11/2011 - 16:07

Locutus

Anyway, there is some tool to block IP after a number of error logs?

Yeah there is... You can try "fail2ban" or "Config Server & Security".

http://www.fail2ban.org/wiki/index.php/Main_Page

http://www.configserver.com/cp/csf.html

#5 Thu, 08/11/2011 - 16:14 (Reply to #4)

chiareu

Thanks Locutus, I'll install configserver

Topic locked