Hi, I have a MUD running on a very old RedHat server (RH 5.2), for which I do *not* have root. Several months ago, I noticed we had been hacked. There were multiple suspicious connections and I found files buried in several hidden directories. I notified the ISP and deleted what I could, changed passwords, etc. Since then I've been watching closely. It's about all I can do since the ISP would rather just decomission the server than deal with a hacker. I kept deleting the files they uploaded, and eventually they gave up. However, now I see something suspicious and I'm not entirely sure if it is the hacker. Here is the suspicious process: root 14640 1.6 0.6 1356 788 ? S 23:40 0:00 ftpd: 124.161.97.124: connected: USER Administrator Code (markup): I traced the IP address to China. The server is in Denver, USA so I think it's unlikely that an address in China should be connected. I've searched all the directories for which I have read permission for any new files and found nothing. What exactly is being accomplished with this process? Should I be concerned? Thanks
It's obviously not what you want to hear but it'd definitely be worth coming up with a plan to upgrade or replace that server. Rehdat 5.2 has been end-of-life for a good while now and I assume you're never going to really be able secure it. I'm guessing one day you'll wake up to find that the ISP has pulled the plug on it. It could be that the IP in china doesn't have access and is running some kind of brute force password guessing. If that's the case it's probably only a matter of time. Matt
wait a minute. are you saying that Red Hat Enterprise Linux, Version 5 is old? what! oh man, i hope not. that's not what the people i purchased my server from said.
Did you reinstall the server ? If not: FAIL. Hacked server = gather forensics evidence (keep all data), and reinstall the server. There is no other way to go. A hacked server has to be reinstalled as you have no way to be sure it's been cleaned.