Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: I Got DDOS'ed and Possible Hacked To Ubuntu Server
3 points by mrbonner on Feb 17, 2012 | hide | past | favorite
Hi, I recently noticed that my wireless router was acting weird everyday. If I bounced it it was fine for couple of minutes and then things got worse: nobody seemed to be able to connect to it, if they could the internet was slow.

It happened for 2 days then out of desperation I disconnect the Ubuntu server (Apache 2.2) connected via Gigabit cable. Strangely things started to look normal. I then looked at the router log and there were a tons of access from various IPs around the world to my web server. Apparently the router cannot handle such traffic.

Also, I remember the day when this DDOS occured, when I ssh'ed to the server, it said the host changed and possible Man-in-middle attack. When I looked at the log /var/log/auth.log there were tons of failed attempts to su from www-data user. At this point I thought I was f*cked. So I decided to take down the server until I know what the hell is going on.

Is there anybody interested in helping me to anwser questions: - What happened to my server? How could its ssh key or setting changed? - What could be done to get rid of the DDoS?

I have everything in my server for forensic!

This is just my personal server anyway, nothing important. Thanks in advance.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: