28 Studios
Verified User
- Joined
- Jun 22, 2008
- Messages
- 9
My machine was recently hacked and was used to send out spam and brute force ssh attacks.
It may be related to custombuild. I'm really not positive, but wanted to see if anyone here had suggestions on the potential cause.
I don't know what the webapp user is used for, so I'm not sure where to look next.
I also found the following in /tmp
dt_ssh5 was the brute force ssh attack.
I definitely am not blaming DirectAdmin (yet ), but this looks reasonable for the first place to look.
The machine has since been secured, but of course I will be rebuilding the server soon to be safe.
It may be related to custombuild. I'm really not positive, but wanted to see if anyone here had suggestions on the potential cause.
- The outgoing emails were being sent from the user webapp
- The ssh attacks were executed by the user webapp
- I removed the webapp user
- Running ./build update (or maybe ./build all) recreated the webapp user.
I don't know what the webapp user is used for, so I'm not sure where to look next.
I also found the following in /tmp
Code:
barbut.1
barbut.2
barbut.3
blue
blue.1
brb.1
brb.2
brb.3
brb.4
cb
doom.tgz
dt_ssh5
dt_ssh5.1
mysql.sock
ping.txt
resend.debug
I definitely am not blaming DirectAdmin (yet ), but this looks reasonable for the first place to look.
The machine has since been secured, but of course I will be rebuilding the server soon to be safe.