

Uhh dude… you got hacked - amitmittal1993
https://medium.com/@meuspartum/uhh-dude-you-got-hacked-249d2c08d7ed

======
drewdahlman
Author here -

The purpose of going through and removing the malicious scripts was to learn
more about server security. I figured if I had been compromised I might as
well learn what was causing it and how to fix it.

I have since toasted the server and set it back up with all of the things I
mention in the article. I wrote the piece because I felt that there might be
others out there who can learn from my mistakes and to also have a record for
myself.

We are always learning and sometimes we need to learn the hard way, I got
lucky in that this was on a side project and not any real client work.

------
Yadi
Ow man that is bad!

Thanks for sharing. Lessons shared from this post:

    
    
        1- Lock down ALL ports you are not using with either iptables or ufw.
    
    
        2- Be sure to always run system updates, 

even with doing this the exploit still made it in, but the updates can help.

    
    
        3- Use tools available to you such as iptraf, nethogs, and iftop.
    
    
        4- Watch your cronjobs and strange startup files
    
    

I think locking down the ports that are not required is a very important thing
to do.

I have faced such stuff, but with lower traffic luckily ended up creating a
whole instance and server and ripping a part old configs and setup.

------
WillHuxtable
When someone compromises your system, you can't know _everything_ that has
been done. The only truly safe thing to do is reinstall everything from
scratch, backing up configs of course.

------
dizou
How did they get in,in the first place?

~~~
drewdahlman
Author here.

It was a brute force attack on my root. I added an edit for clarification on
the article. Basically I use another user for deployments and server work that
has a pub key and didn't remove root login permissions.

