I've set up a little ARM server, running the latest version of armbian with kernel 4.11.6
I have Apache2:
Server version: Apache/2.4.10 (Debian)
Server built: Jul 18 2017 19:31:53
At home i'm using a cheap router Hawei HG8247H , with port forwarding active for port 80 and port 22 directing the incoming connections to the public IP, straight to the server inside the private network 192.168.1.114
At first i've set up the root user with an too easy of a password that i suspect, was cracked by brute forcing ssh login...
After some thought over the subject i altered the password, switching to a stronger one. My doubt is, was the system compromised to the point where a mere password change of root isn't enough anymore?
I ran the netstat -pan:
There's an abusive IP operating on my machine: 123.183.209.140; Probably serving as a spam zombie while i write this.
Also, ran nmap searching for vulnerabilities, yielding NOT VULNERABLE at least for the ones listed at the vulscan database to this day.
These high ports also seem suspicious. I feel uncanny with all the eerie movements on the server and the idea of a member of the internal network being compromised is scary as it is a trusted node of the internal network. Should somehow try to isolate the server in another separate network.
My doubt is, what is the next step to take from hereafter ?
Thank you for any advises.
