linux - Root Account Compromised In Unknown Fashion -

-

i have server running ubuntu 14.04-64 running openssh 5.9 started acting strangely on last few days. ssh , http connections timing out. in addition, ssh key no longer working. having use password login. got notice our hosting provider server had used 400% of allotted bandwidth month (5 days month) when go on 10%. suspected server had been compromised.

i saw no strange cpu activity in htop. saw no strange network activity in iftop. however, there strange executable set service in of rc.xd directories: s90.777{1452022308. called executable in / directory called .777{1452022308. process running high priority , causing other connections time out. file binary executable.

i examined server logs , found this:

jan  3 09:08:32 dev1 sshd[19757]: accepted publickey root x.x.x.x port 41394 ssh2: rsa 31:1c:bd:a0:d0:56:1b:e0:fd:a3:05:cc:9e:96:4e:8c

we've never put public keys on of our servers root , never would. user on server approximately 8 minutes , disappeared. authorized_keys file in /root/.ssh in binary format , unreadable.

i have no idea how user have been able place authorized keys file /root. incredible!

the other activity same ip address (in auth log) is:

jan  3 08:00:26 dev1 sshd[18907]: connection closed x.x.x.x [preauth] jan  3 08:31:01 dev1 sshd[19287]: connection closed x.x.x.x [preauth] jan  3 09:08:32 dev1 sshd[19757]: accepted publickey root x.x.x.x port 41394 ssh2: rsa 31:1c:bd:a0:d0:56:1b:e0:fd:a3:05:cc:9e:96:4e:8c jan  3 09:16:26 dev1 sshd[19757]: received disconnect x.x.x.x: 11: disconnected user

i've disabled root ssh logins on of our other servers i'm astonished @ how have happened in first place. have idea how such thing have happened?

share|improve question

closed off-topic keith thompson, undo, tessellatingheckler, pang, talonmies jan 6 '16 @ 3:30

this question appears off-topic. users voted close gave these specific reasons:

  • "questions on professional server- or networking-related infrastructure administration off-topic stack overflow unless directly involve programming or programming tools. may able on server fault." – undo, pang, talonmies
  • "questions general computing hardware , software off-topic stack overflow unless directly involve tools used programming. may able on super user." – keith thompson, tessellatingheckler
if question can reworded fit rules in help center, please edit question.

    
is on linode? – neil mcguigan jan 5 '16 @ 21:41
    
running last command should show every logon event - not tell how , why, may give clue , when. – vampiro jan 5 '16 @ 22:03
    
@neilmcguigan - no, softlayer. – george sibble jan 5 '16 @ 22:38
up vote 2 down vote

i figured out happened. important piece of evidence authorized_keys file in /root in binary format.

i had installed redis on server. apparently, if don't bind redis localhost, can manipulated putting ssh keys authorized_keys file of user run under (in case root). in fact, creator of redis describes process in blog post: http://antirez.com/news/96

so, summarize:

  1. bind redis localhost or internal network connection , keep away internet.
  2. add auth password redis.
  3. run redis own user, not root.
share|improve answer

not answer you're looking for? browse other questions tagged or ask own question.

Comments

Post a Comment