Warning about hacking Debian-systems
Probably not only hacked me. Who administers the Debian-like system, please note.
It all started with the letters that I ran out of space on the server. All 1.5TB. While I was trying to understand what happened to me and what exactly filled my mail.log & etc files with so many records, messages from my MTA began to come to the phone that it became impossible to accept incoming mail. Then I received a letter saying that my server is participating in the spam mailing list. Since I was generally in the store, and I only had a phone in my hands, then all I had time to do was:
Install old John:
')
aptitude install john
Hire a simple brute force password:
john / etc / shadow
Oh God! He issued that I have a spam user with the password sp4m
it is clear that I did next
passwd -l spam
grep SASL /var/log/mail.log
Jun 12 16:26:15 gw postfix / smtpd [26608]: warning: unknown [41.138.185.5]: SASL LOGIN authentication failed: authentication failure
I pulled out the address: 41.138.185.5 and blocked it with iptables
Then I updated aptitude update; aptitude full-upgrade to squeeze.
And now I am sitting and thinking who has planted this infection for me? This was full root access to add a user. And, judging by the date of the file / etc / passwd, it was June 8, 2010, that is, almost a week before sending spam. I did not receive any notifications about remote-root-vulnerablilty, a mystery, and only that.
It all started with the letters that I ran out of space on the server. All 1.5TB. While I was trying to understand what happened to me and what exactly filled my mail.log & etc files with so many records, messages from my MTA began to come to the phone that it became impossible to accept incoming mail. Then I received a letter saying that my server is participating in the spam mailing list. Since I was generally in the store, and I only had a phone in my hands, then all I had time to do was:
Install old John:
')
aptitude install john
Hire a simple brute force password:
john / etc / shadow
Oh God! He issued that I have a spam user with the password sp4m
it is clear that I did next
passwd -l spam
grep SASL /var/log/mail.log
Jun 12 16:26:15 gw postfix / smtpd [26608]: warning: unknown [41.138.185.5]: SASL LOGIN authentication failed: authentication failure
I pulled out the address: 41.138.185.5 and blocked it with iptables
Then I updated aptitude update; aptitude full-upgrade to squeeze.
And now I am sitting and thinking who has planted this infection for me? This was full root access to add a user. And, judging by the date of the file / etc / passwd, it was June 8, 2010, that is, almost a week before sending spam. I did not receive any notifications about remote-root-vulnerablilty, a mystery, and only that.
Source: https://habr.com/ru/post/96408/
All Articles