0

I manage a private GNU/Linux server, that only I (should) have access. Over the last few months, it got invaded a few times, always by the same person (he/she runs the same application every time). This person manages to create a root account. I've changed passwords to very strong ones and deleted the created accounts, but they keep getting back in. The problem is I don't know where from.

My question is: what are the first steps that I should do to find where my vulnerability is?

Some general comments about my setup:

  • Debian 8.6

  • Main applications running in the server: apache, dovecot, exim, mysql and owncloud.

  • I have fail2ban running.

  • I have a script in my .bashrc (for my user and for root account) that warns me by email when someones opens a terminal with these accounts. It never gets triggered by the invader.

  • The output of the last command shows they were using a tty1 session (whereas when I'm logged it shows pts/0). Also in the last command, in the column that should say where the access is coming from, their entry is empty.

crlam
  • 1
  • 1
    Are you formatting and doing a clean install after the compromise? What commands are being run? The first step is probably to crank up the logging, and have your logs sent to an external host. – Zoredache Jan 07 '17 at 00:57
  • Is this a VM, and is remote console access enabled? Could `tty1` be your remote console? – pete Jan 07 '17 at 02:42

0 Answers0