When I logged in as root today, I used my keyboard "up arrow" key in order to use previous commands ...

But I was surprise to see these 6 last commands ... and I wasn't the one to enter them.

service iptables stop
service apf stop
service network start;service sshd start;service xinetd start
less /etc/ssh/sshd_config
less /etc/hosts.deny
init 3

So right away, I changed my admin password and my root password ... but I would really be surprise that someone got my passwords because they are mix of letters and numbers based on nothing ...

First of all ... what is my danger right now ... I am not that experienced in administrating tasks ... and not much experience in security ...

Could it be ev1servers that did this? My server crashed yesterday, and it automaticly open a ticket for reboot ... I didn't know they had my password, but it is possible that at some point, I had to give it to them ... And why would they stop some of the services? In my hosts.deny, I deny all SSH ... maybe they were trying to get a way to connect remotely to my server in order to check it before rebooting it.

I checked my logs, and nothing seems to be out of place.

Any suggestions/comments? I am kinda paranoiac right now

Eric

Ev1server try the default password the file, but the ticket does ask you for root passwords.

Those commands seems like someone trying to gain remote access, and sound like ev1 did. You might need to open a ticket and find out if they flush the firewall and did any changes. But they rarely do that.

If thats not the case and if any of your admin didn't work on the server. its possible your server has been hacked.

I would check your full server with all the rpm files and other file check sum and see if there is any file has been changed check the kernel too.

if the server is hacked you might wanna restore the server with clean OS and secure the os before you restore data to it

hope that helps

use
#last
see who is logging on the server, check the ips and see if they are ev1 ips.
check your /tmp and /var/tmp directories
chkrootkit and rkhunter
ps -aux see whats running
netstat -nalp see whats listening
lockdown your tmp directories and curl and wget
http://forums.ev1servers.net/showthread.php?t=27771
chmod curl and wget to 710 to prevent apahce from executing them, there are alot of things you can do to secure your server. go through this and apply everything you can
http://forums.ev1servers.net/forumdisplay.php?f=20
good luck

just remember if you did submit a ticket to ev1 soemtime between last time you login, and when you saw that msg.

just wondering also, have you put in a reboot ticket recently? they check to see if they can ssh after a reboot, looks like maybe they couldnt then consoled in and ran those commands =

Yes, thats what I think (ev1 did) ... My server power supply failed a few days ago. They have replaced it. Since then, my server has hung twice ... (via the monitoring, it sends an automatic trouble tickets.)

I am the only user of the server, I have 4 total for my own little business.

Thanks to all so far ... I checked "last" and all logins are either by me or ev1servers ... so that clears a few things. I also checked my tmp directory and nothing seems wrong. I got hacked last summer, and tmp directory was being used, so I learned on that one.

Thanks again!

Eric

If your server generated any tickets... chances are they probably logged in to make sure everything was functioning properly. If they couldnt login, they probably forwarded the ticket to the data center to have sshd started. The commands could have been entered from the root console. All that was being done looks like they were trying to figure out why they couldnt access it via sshd.

If your server was having problems, they would probably reboot it to single user mode so there is less overhead, or perhaps even to just reset your root password so they could access it.


my logic would be:

Stopping firewalls to allow access:
service iptables stop
service apf stop

restarting the network, and sshd, and xinetd:
service network start;service sshd start;service xinetd start


still can't connect, hmmm lets see if we are blocked from the hosts files:
less /etc/ssh/sshd_config
less /etc/hosts.deny

nope, lets return to run level 3 (normal run level):
init 3


Thats all that seems to be... if you were hacked You would see more commands than that. They would also be backdooring you, therefore would not need to check the hosts files, or restart the network services.

Honestly, I think you have nothing to worry about. If you are still worried i suggest grabbing a copy of rkhunter from rootkit.nl and giving it a shot. It will check the integrity of your binaries and search for some common rootkits.

Hope this puts your worries aside, If you still would like to have your server checked for rootkits by ev1, open a ticket... they will gladly search for you.

-James