You are not logged in.
- Topics: Active | Unanswered
#1 2016-04-17 14:41:43
- Arch-Hoochie
- Member
- Registered: 2014-09-23
- Posts: 75
[Solved] Server hacked? I think lost access to root
Following on from https://bbs.archlinux.org/viewtopic.php?id=211464 where I lost control of phpmyadmin. I seem to be unable to now login as root and a user has appeared with full privileges on my mysql user list that I never created.
I executed "sudo passwd root" and reset the password which did not error but I still can not access root.
I am wondering if I should just back everything up and reformat the server and start over any advice ?
Last edited by Arch-Hoochie (2016-04-18 07:37:17)
Offline
#2 2016-04-17 14:53:50
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,529
- Website
Re: [Solved] Server hacked? I think lost access to root
I executed "sudo passwd root" and reset the password which did not error but I still can not access root.
This doesn't make sense. What do you mean you can not access root? What have you tried? What error messages do you get?
Do you just try logging in on a tty as root? Do you get a bad password error? Or something else?
Have you tried `su`? What are the results?
If you really do have sudo access still, you should be able to use `sudo -i` if nothing else.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#3 2016-04-17 15:00:49
- Arch-Hoochie
- Member
- Registered: 2014-09-23
- Posts: 75
Re: [Solved] Server hacked? I think lost access to root
I can not login to root via ssh.
I ran "sudo passwd root" as my super user and entered a "new password". Logged out and tried to login as root and get "Access Denied"
Okay entering "sudo -i" swap me to root thanks I didn't know that command 
But why can't I login with the password ?
Offline
#4 2016-04-17 15:09:02
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 11,559
Re: [Solved] Server hacked? I think lost access to root
You had ssh set to allow root logins with a password? That's bad security practice. Check to see if it's still set that way.
Offline
#5 2016-04-17 17:40:59
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,597
- Website
Re: [Solved] Server hacked? I think lost access to root
If you can connect via ssh, and if you setup your user in the sudo (wheel or whatever) group, just do the following to reset your root password:
% sudo su
# passwdIf you suspect that your system has been compromised, nuking it from orbit (ie live media) and a restoration is highly recommended. Probably want to keep a copy of the affected system for a forensics analysis to see how it was hacked and avoid it on the rebuild.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#6 2016-04-17 18:28:08
- nomorewindows
- Member
- Registered: 2010-04-03
- Posts: 3,362
Re: [Solved] Server hacked? I think lost access to root
Are you sure phrak isn't getting hacked?
I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.
Offline
#7 2016-04-17 19:08:14
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,529
- Website
Re: [Solved] Server hacked? I think lost access to root
"Access Denied" is not "Incorrect Password". So it sounds like you had good ssh settings to start with (not allowing root login). Unless we are missing something, I see no evidence that anything was "hacked" - there might be evidence of this, but it is not seen here. It sounds like something just went wrong in your phpadmin set up. If this was the php5 upgrade there were a number of changes - or if it were any other upgrade there still may have been important pacnew files that need to be merged.
One should always be on the lookout for security issues, but it seems a vast majority posts where users think they were "hacked" they really just borked their own configuration by not properly following the documentation.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#8 2016-04-17 20:28:30
- Arch-Hoochie
- Member
- Registered: 2014-09-23
- Posts: 75
Re: [Solved] Server hacked? I think lost access to root
Thank you all for the replies.
I may have indeed disabled ssh root reviewing things I believe I did 
ooops false alarm on that bit my bad.
phrak ? Can you elaborate
"Access Denied" is not "Incorrect Password".
They are the same on my setup I just tested it to make sure before I said anything if I put the wrong password in I get Access Denied not Incorrect Password.
Moving forward with what I have learned I have checked the terminal history for all users nothing appears to have been done via terminal or they have removed terminal history (might be slightly paranoid thinking)
So here is what I know.
phpMyAdmin stopped working on investigation re writing the password allowed me to run a repair and re enter phpmyadmin. Why do I think someone tried to hack me because a user has been added to phpmyadmin called "monty" several databases have been messed with it appears that "monty" has been trying to re write the super user for some of the databases and attempted to remove data and then re-add it but since it's set to not allow that he has just trashed the user logins.
I would put this down to a server hickup but since "monty" appeared in the phpmyadmin users I don't think it is. This all seemed to take place last wednesday so he either got bored and moved on or ran out of time and might come back later. This still leaves me in the how did he do it. If it wasn't through a user account then rebuilding the server doesn't really do any good because for all I know he could do it again any minute he chooses. Does anyone know a way to harden phpmyadmin ? Or should I disable it when I am not using it from browser access?
Thanks for the feedback.
Offline
#9 2016-04-17 20:43:21
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [Solved] Server hacked? I think lost access to root
phrak ? Can you elaborate
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#10 2016-04-17 21:03:29
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,529
- Website
Re: [Solved] Server hacked? I think lost access to root
"Access Denied" is not "Incorrect Password".
They are the same on my setup.
No, they are still different. It doesn't even try to validate the password as you are not allowed to attempt to log in as root. Disabling root login but still providing an attacker feedback on whether they got the password right would be ridiculous.
Access is denied for the root account, so what you enter in the password field is irrelevant. So getting a access denial does not indicate (as you suspected) that your password was wrong as these are two different error messages.
As for the rest, I'm not familiar with phpAdmin. The whole concept seems like a bad idea to me. But it sonuds like they likely got access via that web interface and created a database user.
Is there actually a new system user named 'monty' or just a database user?
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#11 2016-04-17 21:09:12
- Arch-Hoochie
- Member
- Registered: 2014-09-23
- Posts: 75
Re: [Solved] Server hacked? I think lost access to root
Just a database user with full access which has enabled this person to damage some databases. But that now means I need to inspect everything in the databases.
Offline
#12 2016-04-17 22:42:52
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,529
- Website
Re: [Solved] Server hacked? I think lost access to root
Yes, but just the databases. They couldn't have gained access to the rest of the system.
This is one reason I would never use those webbased database tools. I'm pretty sure there are smart and secure ways to use them, but it seems far to easy to open them up as you have. A web-accessible front end should most definitely not allow someone unrestricted database access.
On a db I run I've made my own webbased front end, but it requires a login cookie to view the page, plus it has a very short whitelist of IP addresses from which it will accept connections (everything else is redirected elsewhere) and even then the web user only gets read-only access to one database.
MySQL and MariaDB - and almost certainly any other database out there - allows for specific access permissions for various users. So even if you needed some write access, you could limit it to the specific conditions and databases (or even tables perhaps) that would need write access for web users. Granting all permissions on all databases to a web front-end is a recipe for disaster.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#13 2016-04-18 07:34:39
- Arch-Hoochie
- Member
- Registered: 2014-09-23
- Posts: 75
Re: [Solved] Server hacked? I think lost access to root
Yeah it seems to be my weak point. Thanks Trilby for helping me work through this and everyone else who commented. Moving forward I think I will just not use phpmyadmin i'm a lot more comfortable with the command line now so lets see how I manage without it.
Offline
#14 2016-04-18 07:35:46
- Arch-Hoochie
- Member
- Registered: 2014-09-23
- Posts: 75
Re: [Solved] Server hacked? I think lost access to root
Yeah it seems to be my weak point. Thanks Trilby for helping me work through this and everyone else who commented. Moving forward I think I will just not use phpmyadmin i'm a lot more comfortable with the command line now so lets see how I manage without it.
Offline