Hi, last night I updated my server from Webmin Interface with latest Ubuntu updates listed on Webmin homepage.
I restarted, verify the working, all was OK and got to sleep…
In the morning when I tried to access the webmin interface, the server did not respond to https request…
So started putty to access the SSH console.
Surprise !!! my password was changed. f…k what…
I tried to got to the server by physical IP [http://xxx.xxx.xxx.xxx/] and surprise again some chinese under construction webpage :)) f…k again.
obs: I don’t know if this has something in common with latest updates I have been made, or is just a coincidence.
So I go to the data-center and restart the server in recovery mode and reset the users passwd.
Reboot… and got this message:
<–
apache2: could not start reliably determine the server’s fully qualified domain name, using xxx.xxx.xxx.xxx for ServerName
Rather than invoking init scripts through /etc/init.d, use the utility, e.g. service S99cron start
Since the script you are attempting to invoke has been converted to an UpStart job, you may also use the start(8) utility, e.g. start: S99cron
start: Unknown job: S99cron
Ubuntu 10.04.3 LTS xxhostnamexx tty1
–>
Anybody have encountered something like that? Any advice?
Thanks.
So was your root account compromised? Or was it one of your users?
The root account being compromised is a bit more trouble… without knowing what all they may have changed, it’s difficult to know if they’ve truly been locked out of the system.
OTOH, if it was a user account that was compromised… that’s unfortunately somewhat common. There’s bots searching the Internet for vulnerable web apps, and breaking into them when they’re found. It’s possible a vulnerable web app was found on one of your users accounts.
As far as the messages you saw on the console – if those services are starting up, chances are that those warnings were appearing for awhile now. They may just go unnoticed until someone views the console.
Hi Eric,
Yep with the console message is possible, but what is strange is that there is an " Unknown job"
I’ll verify the job.
Regarding the user, my admin account was corrupted.
Now I check the Auth error log and find pages of auth errors, different user names all from 4 IP.
I found IP reported also at DShied.org
3 of them tty=dovecot
1, tty=mysql
strange that I didn’t find anything over SSHD. posible that the hacker who has succeeded, has deleted his logs :))) and leaves the noob’s logs
Anyway, there is some tool to block IP after a number of error logs?
some chinese under construction webpage :)) f…k again.