I have been having some serious hacking problems on one of my domains. Long story short the main DA account for that domain was hacked. I was able to go through the logs and find what was altered and make repairs as well as change passwords and the like. The only way they could have gotten the password is via a brute force attack because I never use the main domain account (one of mine) as I either login to the domain while logged in as admin or create a temporary FTP account for file transfers.
However, while scanning the logs I found one successful login as root by the same IP that was infecting the targeted domain. The connections last about one second before they disconnect (according to the logs) and after I changed the passwords I noted a few fresh attempts to access the compromised accounts from the previously successful IP that failed.
According to the brute force monitor I have thousands of these "Attacks" coming in every day.
Now comes the part that is very troubling to me. DA rotates the logs so that I only have 30 days of logs to go through. I hope that I caught the root login early enough that it was just a lucky shot or some automated hack just checking to confirm the password was still good but with only 30 days of logs I don't know.
A hacker getting root access could certainly explain the weird problem I had earlier with bind running as root. Equally troubling is that the compromised domain account was running something called "kernelupdates" a few days ago with a very high server load. I could not find anything on my server with that name nor did Google help me.
Some of the domains on my server are large with hundreds of thousands if not millions of files. Any backups I have are likely compromised since I have no idea when the first attack succeeded.
What can I do?
EDIT: Using last I find hundreds of zero time root logins from a Russian IP address starting three weeks ago. Logins show zero time and are time 30 minutes apart. My guess is they were automated and designed to login, run their script and logout. No unknown logins since I changed passwords.
However, while scanning the logs I found one successful login as root by the same IP that was infecting the targeted domain. The connections last about one second before they disconnect (according to the logs) and after I changed the passwords I noted a few fresh attempts to access the compromised accounts from the previously successful IP that failed.
According to the brute force monitor I have thousands of these "Attacks" coming in every day.
Now comes the part that is very troubling to me. DA rotates the logs so that I only have 30 days of logs to go through. I hope that I caught the root login early enough that it was just a lucky shot or some automated hack just checking to confirm the password was still good but with only 30 days of logs I don't know.
A hacker getting root access could certainly explain the weird problem I had earlier with bind running as root. Equally troubling is that the compromised domain account was running something called "kernelupdates" a few days ago with a very high server load. I could not find anything on my server with that name nor did Google help me.
Some of the domains on my server are large with hundreds of thousands if not millions of files. Any backups I have are likely compromised since I have no idea when the first attack succeeded.
What can I do?
EDIT: Using last I find hundreds of zero time root logins from a Russian IP address starting three weeks ago. Logins show zero time and are time 30 minutes apart. My guess is they were automated and designed to login, run their script and logout. No unknown logins since I changed passwords.
Last edited: