[tor-relays] My VPS relay has just been hacked

Krbusek Christian christian at ph3x.at
Mon Oct 27 07:21:16 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nick,

most has already been said - and reinstall would be your best option
anyways because you can´t trust the VPS anymore.

But one thing has not been mentioned yet I think:

Am 26.10.2014 um 19:53 schrieb Nick Sheppard:
[...]

> As for how it got in, most people seem to suspect an attack through
> ssh. But when I ssh'd in yesterday to start investigating, I was
> careful to note the "Last Login" message, and it gave my own
> genuine last login, three weeks ago from my home IP.  Can I take
> this at face value to mean that ssh has not been used between my
> own two logins?  Can "Last Login" be falsified?

It can be falsified. Last login IIRC is taken from wtmp. If the attacker
gained root it would be easy to manipulate that too.

Cheers,
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUTfJsAAoJECgP5Pn8Zk3/djgQAJH8qy8EbnHCFfAGjePHuKY7
zgtUM6ZSec6VRjX9hZHFV/kj2UfsUb7KExvKOxOxuVSRO9tZ878N7pxKygJUwTce
tAvmI2Cy2vza6rXuXZPI6C/MwgRNKY8R/YbWhXdkYjtckDknMldYD4a2WvdXYO0x
DlZA4wSG0GhDLZpeqSUvgOsP/OPgyi7siF3B3qrbL1BUPViYt5ztc4cefXau2Blo
P+8LwYRKjXNW+moI4qLvakRT63mm6QYfoT3BCtLLoUoCs38QhxPCxnGkPL1fTi+2
JnNnD0fUqyPMZ7y+pM2nvaGQHSXTF7yRRfccHy27vNEsK05Dz5XzeN5ERPidxdgR
QC7GflkheIjmf4i+RqPtBNKNhr5lz8PjskyXZY9jjEK5L3Vf9N47hoekPflPH8To
G6K+YFUX0Pq2MxmM5HENqripwLdaR0eA2c3200S+BfWtV7QvekpLXfu/F8jMnX32
PLIgD41YVchhXJvXNVgdD2I7eSjv23S5xRJflo08znnefRQYaJas0M0MDm5MXQ5O
FFHQ6P5ui63cbfVKlanYvI22Ns3oz+sNZsFpNfYlohB/TRkKTc/tMbircHtgGq8G
yN3o1vmW/xcHIwZUWQ0RTVzk0Kks/q8OK+4cYmv5b3vR1rhU5Fkxx6aH2WqxgkOE
pmwyZUOzwUrz9NkjPyaF
=PSMc
-----END PGP SIGNATURE-----


More information about the tor-relays mailing list