So you say you already changed your password, but after that the attackers were still able to access the system using your account? Then you have to assume that the attackers have root access (as they can see your new password), which means you have to assume they have copies of all the data on this machine. You should also assume that they have completely penetrated this installation.Hi I change my password last night on the vps, and I'm still getting hacked.
You don't know what /dev/pts/... is? I'm not sure you should be administering a FreeBSD system that is being attacked in that case.they succeeded I guess do you know how to disable pts.
None of the above. I would do two things: (a) make copies of any data on this system that you want to keep. (b) Nuke it, and install a new system.Make key and upload it and change my passwords. or
change my password and then upload my key?
So you also suspect that hackers have become root on this system, and then all you do is delete a folder by hand? And then you forget what you did?had to delete his folder by hand. Something else to but I forgot what that was
Linode has a reputation for attracting a lot of bad hackers, and other criminal elemants. That's because they are an inexpensive and only minimally supervised hosting provider. My advice would be: After nuking this system, set up a new one somewhere else.I used to think changing ports made ssh all better until I got to linode. Welcome to defensive computing.
Fun, but waste of time. Your attacks will be ignored. Simply accept as a fact of life that hackers exist, more in some places than in others. Punishing them after the fact is pointless.Get the attacker IP try and hit back with massive coordinated packet flood.
If you don't know how to manage accounts on a BSD system, you should not be administering one that is under attack. I would start by reading a good book about Unix in general, and FreeBSD in particular.I never heard of locking account how to and what "necessary files"?
That's probably the best piece of advice you are going to get. I would add:I would do two things: (a) make copies of any data on this system that you want to keep. (b) Nuke it, and install a new system.
PasswordAuthentication no
ChallengeResponseAuthentication no
service sshd restart
).As others already stated: make ssh key auth only.Hi I change my password last night on the vps, and I'm still getting hacked. change my sshd port to. Plus what is pts.
The screenshot is what I'm talking about. I haven't logged in to this linode for a few days. It wasn't me.
Not sure if I used it at that time. The .history log was short and not like my other linode. The commands were building a jail and that's what I'm doing for my NJ linode. I could of messed up witch linode I was using. they have different passwords. So I"m going to use keys anyway's.I think the image you provided has some great clues.
It shows the VM Booted up on Tuesday Mar 8th at 16:01:38
At 16:02:14 You had a login attempt that failed.
#1) Did you reboot or start the VM at this time?
#2) The failed login attempt offers a interesting clue.
############cpe.net.cable.rogers.net
A very long IP with a suffix that is identifiable.
You are from Canada and Rogers is a Canadian Carrier.
So is this you on Mar 8th at 16:02:14 with a failed login attempt?
The time seems somewhat tight for a human with the lag.
I worry that perhaps your home router or wifi router could be hacked.
This could be a local vector not some hacker picking on Linode users.
Interesting too that it took 3 days for the hacking to really start.
I would expect to see more on the command line for errors if hacking in that period.
So look at /var/log/messages to see what user rebooted the VM machine on Mar 8th.
Especially if it wasn't you with a failed login attempt..
I would treat all yourwirelessconnections at home as possibly tainted.(Unless the reboot and failed login was you)
/usr/bin/sockstat -46l
to list active listening sockets which will also include an entry for each remotely (or locally) connected IP address.Mar 10 01:56:35 su paul to root
But then the actual attack.
Mar 11 02:25:15 sshd error: Fssh_kex_exachange_identification: banner line contains invalid characters
And at that point, all reasoning about what Paul's password or ssh keys or flying purple elephants are, and whether he's using su, sudo, doas, etc. becomes irrelevant: If the person becoming root was an intruder, we have to assume that they changed all that. This is why debugging this installation is no longer useful, unless one wants to do forensics.The last line is the most concerning. It appears he got root.