0

I host my personal website on digitalocean. Nowadays, I received many abuse complaints which finally make them shutdown my machine. I feel really sad and angry.

Someone complaints that my machine is used to attack his machine via ssh. I check my machine, and find two suspects:

root@eva:~# lsof -i 
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 
sshd 566 root 3r IPv6 7494 0t0 TCP *:ssh (LISTEN) 
sshd 566 root 4u IPv4 7518 0t0 TCP *:ssh (LISTEN) 
php5-fpm 671 root 6u IPv4 7849 0t0 TCP localhost:9000 (LISTEN) 
php5-fpm 672 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN) 
php5-fpm 673 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN) 
php5-fpm 674 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN) 
php5-fpm 675 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN) 
mysqld 759 mysql 10u IPv4 8233 0t0 TCP localhost:mysql (LISTEN) 
bash 1018 root 3u IPv4 8700 0t0 TCP *:3245 (LISTEN) 
bash 1018 root 8u IPv4 8783 0t0 TCP mysitename.com:57728->91.236.182.1:ircd (ESTABLISHED) 
bash 1018 root 9u IPv4 8714 0t0 TCP mysitename.com->ircu.atw.hu:ircd (ESTABLISHED) 
apache2 30915 root 3u IPv4 4216829 0t0 TCP *:http (LISTEN) 
apache2 30920 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN) 
apache2 30921 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN) 
apache2 30922 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN) 
apache2 30923 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN) 
apache2 30924 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN) 
sshd 30948 root 3r IPv4 4217444 0t0 TCP mysitename.com:ssh->210006025170.ctinets.com:64144    (ESTABLISHED)

what is the IRC things? they come out again after I kill them. How can I fix this and fight back? Can anybody explain the theory how I got attacked? and generally, how to react after been attacked.

ps. I did really a small amount of operations on my machine, just host my website there. Basically, I just changed the things under /etc/apache2 and /var/www

hakunami
  • 101
  • 1
  • Backup the important data, reinstall everything. – CodesInChaos Apr 10 '14 at 09:54
  • The IRC connections are the Command and Control server. The malware joins an irc channel, and sits there waiting for commands of the malware operators. Blacklisting all traffic to those ip's might work short term, but depending on the malware it may change C&C servers at a predefined interval. – Glenn Vandamme Apr 10 '14 at 10:55
  • Please don't use the term hacked to mean compromised. – ScottMcGready Apr 10 '14 at 14:54
  • @ScottMcGready Sorry, I am not a native English user, can't tell the subtle meaning of word. :) – hakunami Apr 10 '14 at 15:40
  • @CodesInChaos Thank you. Thanks to digital ocean's backup service, Iv got back my data and reinstalled the server. – hakunami Apr 10 '14 at 15:41
  • @GlennVandamme Interesting. is it possible to location where the malware is? Can I delete these bad code? – hakunami Apr 10 '14 at 15:43

1 Answers1

1

You can start by blocking all the outgoing ssh traffic form your server using iptables :

#iptables -A OUTPUT -p tcp –dport 22 -j DROP
TMR_OS
  • 208
  • 2
  • 10
  • Since I have already reinstalled the server, can't test your solution, but thank you for you nice advice. One shortcoming is I can't use scp to move things out of my server, right? – hakunami Apr 10 '14 at 15:45
  • No, you can still use scp. But you need to set the port with option P : scp -P 80 ... # Use port 80 to bypass the iptables rules, instead of the default scp port – TMR_OS Apr 11 '14 at 08:35