Recovering from a man-in-the-middle attack?

I just noticed that my svnserver was down, so I tried to log in to my linode and start it back up. While doing so I got the fancy DNS spoofing warning from ssh. I somehow thought this was just because I had reinstalled linux on my local desktop machine (but in hindsight that couldn't be why because I had connected successfully since the installation). However, my password was not accepted. In desperation I foolishly tried to log in as root, but to no avail. At that point I decided something was wrong, so I shutdown my linode via the dashboard and changed the root password. However, after rebooting the linode, I still cannot log on via ssh, though I can still ping my linode.

How can I tell if I have actually been attacked? And if that is the case, how do I recover from it?

6 Replies

If you've already connected to your Linode so it's in your knownhosts file, I'm pretty sure SSH won't connect if the key changes until after you remove the entry from the knownhosts file. As for the password changing weirdness, are you sure you haven't disabled password logins? Try connecting to Lish–look under the console tab in the Linode Manger--and see if you can get in that way. If you can, check /etc/ssh/sshd_config for PasswordAuthentication. If it's set to no then that's why you can't get in.

James

I'll check, but I just logged in successfully last night. I haven't changed config files on the linode in months.

@inkleined:

How can I tell if I have actually been attacked? And if that is the case, how do I recover from it?

Your root password has been changed, what more do you want? Simple, re-install, use backups of data to re-instate your losses.

This time, use some basic security when setting stuff up. Limit ranges to your ISP network subnet, use pubkey auth ONLY!, limit to your user to login and give it no priviledges so that you have to use sudo, use sudo su - to get a root prompt, and use TMOUT in your .bashrc to ensure that your user is auto-logout'd out if linode account gets compromised. Hell, look into setting root's shell as /bin/false, if you have to setup a recovery, edit your /etc/passwd file after booting into finnix. Compromising a system isn't hard, the point is to delay the person as much as possible.

A temporary idea would be to temporarily purchase a doubled linode for the larger hard drive and then mount it in the new linode and pull data only! don't trust your binaries into the new one, buy another linode that matches your current one, re-setup and put the old data back in your linode, and then drop the other two linodes.

sudo su -? What's wrong with sudo -i?

@danellis:

sudo su -? What's wrong with sudo -i?

either one works, just less typing involved.

Have you checked your logs?

Maybe your node fell afoul of this http://www.linode.com/forums/viewtopic.php?t=3679.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct