On Sat, Oct 25, 2014 at 03:36:05PM +0100, Nick Sheppard wrote:
This is typical of what I found.
1 root 20 0 10604 832 700 S ... 0:00.10 init 2 root 20 0 0 0 0 S ... 0:00.00 kthreadd/3277 3 root 20 0 0 0 0 S ... 0:00.00 khelper/3277 1370 root 20 0 36976 660 492 S ... 0:00.38 hxyqbutesc
I should note here that yes indeed, you do appear to have been compromised.
We get some relay operators here who misinterpret an email from their ISP, which tells them they've been compromised but really the only evidence is that they sent out some traffic that the other side thought could only have been sent if they're compromised. E.g., https://lists.torproject.org/pipermail/tor-relays/2014-October/005551.html
But this one does not look good. I sense a reinstall in your future. :)
Eventually I'll have to reinstall everything from scratch, straightforward enough, but what can I do to make sure it doesn't happen again? Would hardening my iptables work? Has anyone else seen this?
The other advice I heard here was very good too -- mainly "be sure to do all your updates", "don't allow ssh login by password", and "wonder if perhaps your hosting provider has a problem that makes it impossible for you to keep your host safe".
--Roger