My Server got Hacked? - sshd root access?
by hannso from LinuxQuestions.org on (#6FDCN)
Dear all,
I am running out of ideas and need inspiration how to track down my current security issue.
Why I think that my server got hacked?
From time to time, when I execute this command
Code:sudo lsof -i -P -n | grep sshI get connection as user root to some ip in China/US/xxx,
and I know, that I am the only admin of that server.
Code:COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 15373 root 3u IPv4 3237744941 0t0 TCP xx.xxx.211.184:23->110.85.99.146:35587 (ESTABLISHED)The connection does not live for a long time and is reestablished once a minute or so.
What I already tried?
- Moving ssh to port 23
- ufw is up and running
- checked sshd_config which is
Quote:
- checked the pid
Quote:
- Checked its status via cat /proc/<pid>/status
Quote:
- installed and ran rkhunter
What I could not check
Don't know if a docker container was hacked and this sshd is runnin in there
Thank you very much for your ideas!
I am running out of ideas and need inspiration how to track down my current security issue.
Why I think that my server got hacked?
From time to time, when I execute this command
Code:sudo lsof -i -P -n | grep sshI get connection as user root to some ip in China/US/xxx,
and I know, that I am the only admin of that server.
Code:COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 15373 root 3u IPv4 3237744941 0t0 TCP xx.xxx.211.184:23->110.85.99.146:35587 (ESTABLISHED)The connection does not live for a long time and is reestablished once a minute or so.
What I already tried?
- Moving ssh to port 23
- ufw is up and running
- checked sshd_config which is
Quote:
| Port 23 PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no PrintMotd no Subsystem sftp/usr/lib/openssh/sftp-server |
Quote:
| ps -Flww -p 15786 F S UID PID PPID C PRI NI ADDR SZ WCHAN RSS PSR STIME TTY TIME CMD 4 S root 15786 15714 0 80 0 - 18076 - 5692 1 17:08 ? 00:00:00 sshd: [accepted] |
Quote:
| cat /proc/16022/status Name:sshd Umask:0022 State:S (sleeping) Tgid:16022 Ngid:0 Pid:16022 PPid:15714 TracerPid:0 Uid:0000 Gid:0000 FDSize:64 Groups: NStgid:16022 NSpid:16022 NSpgid:16022 NSsid:16022 VmPeak: 72336 kB VmSize: 72304 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 5716 kB VmRSS: 5716 kB RssAnon: 732 kB RssFile: 4984 kB RssShmem: 0 kB VmData: 760 kB VmStk: 132 kB VmExe: 756 kB VmLib: 8964 kB VmPTE: 180 kB VmSwap: 0 kB HugetlbPages: 0 kB CoreDumping:0 Threads:1 SigQ:0/15277 SigPnd:0000000000000000 ShdPnd:0000000000000000 SigBlk:0000000000000000 SigIgn:0000000000001000 SigCgt:0000000180002000 CapInh:0000000000000000 CapPrm:0000003fffffffff CapEff:0000003fffffffff CapBnd:0000003fffffffff CapAmb:0000000000000000 NoNewPrivs:0 Seccomp:0 Speculation_Store_Bypass:thread vulnerable Cpus_allowed:3 Cpus_allowed_list:0-1 Mems_allowed:00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0 0000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00 000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001 Mems_allowed_list:0 voluntary_ctxt_switches:1 nonvoluntary_ctxt_switches:0 |
What I could not check
Don't know if a docker container was hacked and this sshd is runnin in there
Thank you very much for your ideas!