Tuesday, April 2, 2013

What you do when your server gets attacked

Recently, we had a bad episode of server attack, where the attacker used our system for spamming email system. When I got to know about it, I was kind of working on fixing it, then the next thing I noticed was our system's root password was stolen. That was shocking beyond belief!!!!!!!! I took care of the root password recovery and closing down the network port. Now these are the things that has happened.
1. Our host name was changed.
2. Many new programs appeared in /etc area.
3. /etc/hosts; /etc/hosts.allow; /etc/hosts.deny;  and many other files execution permission have been changed. Made executable.

The first thing needs to be done is to recover the root password. In order to do that, follow our earlier blog post here:

Once root password is recovered, check the files under /etc directory and check the executable file paths and find newly installed executables. Change the /etc/hosts file. Change the /etc/sysconfig/network file. Then run /etc/rc.d/init.d/network restart to restart network. Change permissions of most of the /etc files that are made executable to simple read-write mode.

Check your mysql server. If the root password is stolen then try to recover it by doing the following:

a. Stop mysqld server using /etc/init.d/mysql stop
b. mysqld_safe --skip-grant-tables & #This will start mysqld in safe mode and it will NOT ask for root password.
c. Login into mysql in passwordless mode: mysql -u root # You will be logged in passwordless
d. Then change the root password for mysql using:
mysql> use mysql;
mysql> update user set password=PASSWORD("NEW-ROOT-PASSWORD") where User='root';
mysql> flush privileges;
mysql> quit
e. Then stop mysqld and restart. This will take care of all your changes.

No comments:

Post a Comment