We help IT Professionals succeed at work.
Get Started

Has my server been hacked?  How do I get it back?

203 Views
Last Modified: 2010-04-21
Hi everyone!  In the midst of a ginormous crisis here, hoping someone can help.

A couple of months ago I was put in charge of a LAMP-driven website hosted on a dedicated server at OVH.  Right from the start, I noticed numerous attempts (in the http error logs) to log in to the system using various different passwords so I installed fail2ban but didn't really know what else I could do aside from that.

Well, a couple of days ago the situation took a drastic turn for the worse, with thousands of attempts to access various files on the system and log in with bizarre user names resembling urls, and so forth.  The site crashed a bunch of times, I updated fail2ban, but every time I added a rule, some new syntax popped up in the http error logs.

Finally, I tried to access the site a couple of hours ago and a window popped up asking me for a username and password!  When I tried to close the window I got a 401 error message.  How could this happen?  I was still able to log on to the machine with Putty and noticed all kinds of weird processes and also a bunch of files which had seemingly just been deposited on the machine all at once (but apparently 0 bytes in size - don't know if this is relevant).  I tried to kill the processes but more sprung up in their place (some referring to "agetty" - don't know what this is) and was unable to delete any of the files.  In a state of panic, I attempted to change the root password, and it seemed to work, only I seem to be able to log in using the old password as well!

What is going on?!  And what, if anything, can I do to get the site back?
Comment
Watch Question
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE