my server was rooted via h00lyshit exploit, any good advice?

Question

So yesterday I found out that my server was rooted via the h00lyshit exploit. So far I deleted all the files that might be asociated with the exploit. I also deleted all the ssh keys in ~/.ssh/authorized_keys. I changed the root password to 25 random character password and changed mysql passwords as well.

Also i think the attacker was from italy, and since i need to have access only from my country i blocked every ip range except my own country, will this help?

Do you guys have any good advice what i should do? I plan to disable root via ssh (i should have done it much sooner, I know :( ). And is there a way to check if he can access my server again?

Also no damage was done luckyly, oh an i'm running Debian Lenny with 2.6.26 kernel if somebody is interested.

PS: yay my first question :D

score 28 · Accepted Answer · answered Jul 10 '10 at 22:17

28

You should restore the server from a known good backup. There's no real way to know that no other back doors were installed is there?

answered Jul 10 '10 at 22:17

MDMarra

101,323

score 3 · Answer 2 · answered Jul 11 '10 at 11:42

I would always advocate a complete rebuild in the event of a known compromise. It's the only safe way.

Assuming you have backups, and they're recent, and they cover more than just the data on the server, you have material for forensics.

If you're not already using a tool such as Chef or Puppet to make fast rebuilds to a known state, then get started.

Once the machine has been rebuilt, you need to think about attack vectors and how to mitigate against them. You mentioned your ssh config - there are many others - for a Redhat-centric, and paranoid approach, look here:

http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

For a Debian and similar approach, look here:

Debian dot org /doc/manuals/securing-debian-howto/

Good luck.

score 2 · Answer 3 · edited Jul 11 '10 at 17:01

2

Unfortunately since he had root access there is no way to really know what the hacker did to the system. They could have modified logs to hide their tracks and any other damage done. Format and reinstall or restore from known good backups is the only safe way to go. Good luck.

Next time disable root login, change ssh port, and get iptables going right away.

edited Jul 11 '10 at 17:01

MDMarra

101,323

answered Jul 11 '10 at 16:59

Brandon

161

score 1 · Answer 4 · answered Jul 10 '10 at 23:34

1

Personally if I get rooted, grab the data from a backup ideally. If not grab it from the server and boot and nuke it. (http://www.dban.org/)

answered Jul 10 '10 at 23:34

Gray Race

933

my server was rooted via h00lyshit exploit, any good advice?

4 Answers4