Hi,
Yesterday i receive a mail to informe me that someone connect on SSH on my serveur by publickey.
I don't use key to connect to serveur, just login /password.
All file i could find to trace this intrusion :
[root@vps252983 script]# sh /script/sysinfo
A. Kloxo-MR: 6.5.0.f-2016111301
B. OS: CentOS release 6.8 (Final) x86_64
C. Apps:
1. MySQL: mysql55-5.5.53-1.ius.el6.x86_64
2. PHP: php53u-5.3.29-1.ius.el6.x86_64
3. Httpd: httpd-2.2.31-1.mr.el6.x86_64
4. Lighttpd: --uninstalled--
5. Nginx: --uninstalled--
6. Qmail: qmail-toaster-1.03-1.3.55.mr.el6.x86_64
- with: courier-imap-toaster-4.1.2-1.3.20.mr.el6.x86_64
7. Dns: bind-9.9.7-1.mr.el6.x86_64
D. Php-type (for Httpd/proxy): mod_php_ruid2
E. Memory:
total used free shared buffers cached
Mem: 1829 1710 118 0 26 1313
-/+ buffers/cache: 370 1458
Swap: 0 0 0
/var/log/secure
Jan 1 13:54:16 vps252983 sshd[30883]: Accepted publickey for root from 46.43.125.61 port 35257 ssh2
Jan 1 13:54:16 vps252983 sshd[30883]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 1 13:54:18 vps252983 sshd[30883]: error: connect_to imap4.btconnect.com port 143: failed.
Jan 1 13:54:50 vps252983 sshd[30883]: error: connect_to 207.115.11.17 port 110: failed.
Jan 1 13:55:22 vps252983 sshd[30883]: error: connect_to smtp.comcast.net port 587: failed.
Jan 1 13:55:38 vps252983 sshd[30883]: pam_unix(sshd:session): session closed for user root
/var/log/cron
Jan 1 13:56:01 vps252983 CROND[31566]: (root) CMD (sleep 30 && exec 2>&1 && grep -v 46.43.125.61 /usr/local/lxlabs/kloxo/log/hiawatha-access.log > /tmp/sess_CqwvLbmYSsmhvnIB; echo y | cp -f /tmp/sess_CqwvLbmYSsmhvnIB /usr/local/lxlabs/kloxo/log/hiawatha-access.log && rm -f /tmp/sess_CqwvLbmYSsmhvnIB > /dev/null &sleep 30 && exec 2>&1 && grep -v 46.43.125.61 /usr/local/lxlabs/kloxo/log/hiawatha-error.log > /tmp/sess_sqwkGxQjbFiLeFRL; echo y | cp -f /tmp/sess_sqwkGxQjbFiLeFRL /usr/local/lxlabs/kloxo/log/hiawatha-error.log && rm -f /tmp/sess_sqwkGxQjbFiLeFRL > /dev/null &sleep 30 && exec 2>&1 && grep -v 46.43.125.61 /usr/local/lxlabs/kloxo/log/login_success > /tmp/sess_SJDqQsKICkDBNGlS; echo y | cp -f /tmp/sess_SJDqQsKICkDBNGlS /usr/local/lxlabs/kloxo/log/login_success && rm -f /tmp/sess_SJDqQsKICkDBNGlS > /dev/null &)
Jan 1 13:56:01 vps252983 CROND[31567]: (root) CMD (rm -rf /etc/cron.d/cleanup_cron.cron)
/root/.ssh/authorized_keys
# The following ssh key was injected by Nova
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDG6AGb7mde
I am not sur but in seeing /var/log/cron, the hacker use kloxo to connect to ssh.