View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Looks like my linode was hacked in February
Log in to Ask a Question

Looks like my linode was hacked in February

general

In the course of upgrading my site for Google Premium, I found I had been hacked in February of this year. I block all incoming ports except 22 for ssh, 25 for mail, 80 and 443 using an iptables script. Since Google will handle my email now, I could close incoming port 25 in the script and I set out to do so.

I immediately noticed that my iptables shell script had a modify date of Feb 21, 2007. This seemed odd, I didn't remember editing that for a few years. Hmmm. Looking into my script, now there were additionally ports 110, 143 and 995 unblocked, and the following line at the bottom of the script:

iptables -I INPUT -s 194.72.238.62 -j DROP

which traceroute points to the UK.

How they got in I don't know. I've corrected the script and changed all passwords. You might want to check your iptables start scripts.

James

5 Replies

If you feel that you've been hacked, you shouldn't trust anything on your system anymore. Better to format and restore files from backups than it is to just patch a firewall hole.

As far as how they got in, 194.72.238.62 is known for trying to break in through Apache vulnerabilities. http://www.howtoforge.com/forums/showthread.php?t=13774

@jax:

Better to format and restore files from backups than it is to just patch a firewall hole.

In progress.

James

I find this a little strange… if someone hacks a computer they invariably put it to work - serving warez, sending spam etc. From your post it looks like they just opened some ports? Or were there more signs of intrusion/abuse?

A quick lookup on the host that was blocked indicates its one of netcraft's servers- they gather statistics on active web servers, and probably also check for vulnerabilities for their own mostly benign purposes…

If that IP did hack you, it wouldn't be very logical to then block themselves out of your machine, would it? This sounds more like a case of late night drunken configuration changes, or just doing things in the wrong terminal window…

But of course, if you're in any doubt as to the security of your system, a rebuild is always the best way to go…

I think TehDan may be right. Are you sure you weren't experimenting with running a POP/IMAP mailserver at one point? I think all those ports are mail ports.

And it makes no sense that a cracker would add a drop rule to iptables.

I watch the box a good bit and saw no excessive cpu or

network usage, so I don't know that it was put to use.

My guess on the block was so that the script kiddie next

door couldn't use it post-brag.

James

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct