A
Arijit
Guest
Few Days back someone hacked our server .I changed all the password for all user.But Still someone accessing our server.How can I prevent it.How can I solve this problem?
Do you have a firewall (software or hardware)? What if you closed all unneeded ports?
Thanks a lot
I think no firewall software installed .Default firewall may be present.
Can you tell me how to check firewall software is present or not?
and some information about port.
iptables -A OUTPUT -p tcp --dport 25 -m comment --comment "Rule to block outbound smtp" -j DROP
Can you put it out on pastebin or something similar so that we can all look at it? The more eyes we have looking at this the better.
If they are sending mails then you might try blocking the access to port 25 so that they can't send out more emails. What I am having you do here will not survive a reboot, but it should get you some temporary relief.
As root run:
Code:iptables -A OUTPUT -p tcp --dport 25 -m comment --comment "Rule to block outbound smtp" -j DROP
This will not be effective if the attacker has root level access to the box. They can remove the rule if they have that level of access. In the event that the attacker has root level access you will want to start from scratch on the machine. There is no telling what else has been done.
You are going to want to seriously rethink your security posture. You are going to need to harden your passwords, use SSH keys, patch regularly, and several other steps to keep this from happening again.