[tor-relays] My VPS relay has just been hacked
christian at ph3x.at
Mon Oct 27 07:21:16 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
most has already been said - and reinstall would be your best option
anyways because you can´t trust the VPS anymore.
But one thing has not been mentioned yet I think:
Am 26.10.2014 um 19:53 schrieb Nick Sheppard:
> As for how it got in, most people seem to suspect an attack through
> ssh. But when I ssh'd in yesterday to start investigating, I was
> careful to note the "Last Login" message, and it gave my own
> genuine last login, three weeks ago from my home IP. Can I take
> this at face value to mean that ssh has not been used between my
> own two logins? Can "Last Login" be falsified?
It can be falsified. Last login IIRC is taken from wtmp. If the attacker
gained root it would be easy to manipulate that too.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the tor-relays