23 Jun
2019
23 Jun
'19
10:52 a.m.
It's my VPS that seems to have been compromised. That's ruined my day - time to
rebuild onto a new VPS!
June 23, 2019 10:47 AM, "Adam Spiers" <bitfolk(a)adamspiers.org> wrote:
Phew... I think?! The depressing thing is that
there's no way to know for sure whether I patched in
time, even with things like rkhunter already in place. Thanks again to Andy, without
whose warning
I would definitely not have known to patch my exim quickly enough! I patched 15 days ago
(7th
June), and I see 15 remote exploit attempts in the rejectlogs from the last 7 days alone
-
unfortunately my logrotate already ditched logs from the previous week.
I actually patched at about 10:40 on the 6th (according to the email I got from
apt-listchanges), so it must have been a very early compromise.
Whatever rootkit was installed generated no alerts on my tripwire configuration, but an
lkm rootkit is intermittently showing up via chkrootkit. I'll be putting in a cron job
on the new box to run that daily in the future, and will also look into rkhunter as well.
It seems that you really can't be too careful - and I wasn't careful enough!
Another lesson I may take away from this is to keep my logs for longer - like others, mine
only go back to the 14th. I might set up logrotate to email them to me in addition to
rotate+compress, so I have longer offline storage. At the moment, I just have nothing to
help me determine when the VPS was compromised. :-(
Anyway, I have a busy afternoon ahead of me!
Check your boxes, folks. And thanks to Andy for doing this check and letting me know!
Phil