I have read the following posts which didn't answered my questions:
- My linux server was hacked. How do I find out how and when it was done?
- How do I know if my Linux server has been hacked?
- and much more...
The server setup was this:
- the Ubuntu server was after a router (Cisco EA6500) and didn't had port forward (uPNP is enabled).
- the stupidest idea was to have a user called user with password user.
Today I entered on the php webeditor which connects by ssh and didn't accepted the password. I found out that the server might have been hacked.
I found the followings:
- all the server files timestamps are changed to my last login date (today)
- there was one cronjob /dev/shm/- /.ICE-UNIX/update >/dev/null 2>&1 added friday
- there was an error on ubuntu start-up that said "error variable ROOT isn't set"
What I did:
- recover password by recovery console
- setting up a small firewall which got some attempts to get into ssh.
Questions:
- How do i know what has been changed?
- How did they get in if there was no ssh port exposure?
Later Edit: They have left the logs intact and I found out that they entered by ssh and changed the password. There were a lot of ssh login tries over the past weeks. I have reinstalled the system, moved the port, installed a firewall and I'm inspectting the router. It definitely has security holes. Thank you all!
