1

I am a web developer and we have no one specialising in the wellbeing of the server or the network currently at our office. Usually I can sort many of the issues that arise with my basic knowledge but currently, we have some strange things happening and I have no idea what is going on so I'm looking for some advice from someone a lot more knowledgeable than me to shed some light if possible.

We have an ecloud server hosted by UK Fast (Linux server) and it holds a VPS server and lots of client sites. Yesterday, the server randomly went down and when we realised, we called them up and they said someone had SSH'd in and run the command sudo rm TSG-server.pub which essentially removed our whole server. UK fast managed to get us an IP of where the user who did this was accessing it from but 1. I don't know how this helps at all and 2. they could have been using a VPN anyway.

The weird thing is that they had a login attempt ad it was successful... So whoever it was, knew the password or got it from somewhere. The only place we have our password is on LastPass and no one else knows it. So we restored the backup and got everything back, changed the password and called it a day.

So cut to this morning and it happened again... except this time they didn't leave any trace of who it was because they made sure they deleted the logs as well...

How could they possibly be doing this and how can we stop this? I don't even know where to begin...

Does anyone have any idea of how this might be happening, please.

Emma
  • 11
  • 1

2 Answers2

1

You say that after the first attack you ”restored the backup and got everything back.” If you restored the backup not to a clean system but on the existing server infrastructure it is just possible that the attacker had left some kind of back door on their first attempt. Since they deleted the logs you cannot know for sure whether the second attack used a valid password or a back door technique.

From your description I conclude that the hacked account had root privileges. You might consider to limit log-ins to non-root accounts and to require extra credentials (at least a sudo password, better something like two-factor authentication) for root access.

Renardo
  • 111
  • 1
0

I don't know the configurations of the server but if the attacker logged in again at first try it's possible you have been a target of a MITM (Man-in-the-middle) attack.

I'm assuming there is no possibility of the attacker being an insider, one of your company employees who has access to the passsword.

You should start by securing your server, setup a key based authentication and scan the server for vulnerabilities with a tool like OpenVas.

Also check this article to know more about MITM attacks and how to prevent one: https://www.ssh.com/attack/man-in-the-middle.

Nuno Pinho
  • 1