1
One of my OpenSuse servers got hacked and is acting weird. I am using the root user. When I try to issue a command like below it gets Killed. Similarly, for many other commands, the behavior is the same.
Example:
sudo chattr +i ~/.ssh/authorized_keys
Killed
I want to understand what does it mean and how this is happening and need advice on how to secure it.
pfziom
Posted 2019-12-05T08:45:31.583
Reputation: 11
0
If I were a hacker, I'd want to make sure I had persisitent access. Looks like these hackers have some kind of watchdog service preventing anyone from removing their ssh keys.
If you have a backup of the files this server contains. Your best option is to tear it to the ground and rebuild it. There's no other way to be completely sure you have removed any non-authorised persistent access.
Michael Frank
Posted 2019-12-05T08:45:31.583
Reputation: 7 412
0
The hacker had added the Immutable attribute to /usr/bin/chattr So I wasn't able to use the chattr utility. I had to copy chattr from another server, rename it to something else and restore the attributes of original chattr utility.
pfziom
Posted 2019-12-05T08:45:31.583
Reputation: 11
As chattr seem to be part of e2fsprogs in suse so you should try to enforce a reinstalltion of that package. Well actually this post seem to describe how to reinstall every package in the system, that might be a good idea, especially if you can take a snapshot before is things goes bad. https://stackoverflow.com/questions/19548957/can-i-force-pip-to-reinstall-the-current-version
– Griffin – 2019-12-06T11:08:36.200