Possible Duplicate:
My server's been hacked EMERGENCY
I have a small virtual server running Ubuntu set up for the personal use of myself and a friend. The server runs Postfix and Dovecot for Email, Apache, Tomcat and sshd for git and subversion access.
My friend gave a shell account to somebody else to enable them to access our Subversion repository. Unfortunately, it seems that this person was a bit lenient in their password choice. When I ran top
on the server this week, I noticed a perl process camouflaged as /usr/sbin/httpd that was consuming 50% of CPU. lsof -i
revealed that the process kept a connection open to some IP address in China. So my guess is that the user account was compromised by SSH brute-forcing and used to send spam or similiar activities.
As a first step, I disabled all ssh access for non-me users in the hope to prevent further abuse (root ssh access is disabled anyway). Now I am facing the question what to do to restore the server to use.
My plan this far looks like this:
- Dump the contents of the server to a tar file somewhere
- Reinstall the server from a clean image
- Take steps to prevent the server from being compromised again, such as disabling password-based ssh access entirely and using public keys instead
- Extract important data from the tar dump, make sure that it is clean and re-deploy it on the server and / or store it somewhere else
Is this a feasible approach? Have I missed any important steps? Something else to consider?
Some more specific questions:
- It is possible that only the user account was compromised and the rest of the server is ok. In this case, a re-install is not necessary. Is there a safe way to tell if this is the case?
- Do I have to notify my provider or authorities?
- What is the best strategy to tackle step 4 - how can I tell malicious data from good data with regard to a linux system?