Real experience of being hacked on linux?
Solution 1:
About 2 years ago one of my co-located web servers was hacked. I tracked down the vulnerability to be in a php script I was running, an old version of PHPBB. The hacker basically used a hole to place a script on my server and execute it, which gave him full access to the server.
Luckily, he didn't do any damage, he simply installed a new website to be served off my box.
I was going through the logs one day, as I had seen my bandwidth usage skyrocket, and I found that he had installed a spoofed copy of another website on my server. Essentially it was an easy misspelling of an online store for watches, and I believe he was selling watches, collecting money, and obviously never sending anyone anything.
After I discovered this, I made a copy of everything he did - logs, scripts, the entire website, and archived it as well as sent it to my hosting provider.
I cleaned up his tracks, and began to secure my server.
As a result, I learned a lot about Linux security, and did several things:
- Tightened up my SSH security including running it on a non-standard port.
- chrooted apache
- Installed and configured apache mod_security (which is amazing)
- Started running some log monitoring/intrusion detection scripts
- Killed any processes running on ports which I was not actively using
As a result, I have not been hacked since, and whenever anyone tries, I am alerted.
Some of the easiest ways your server can be hacked, if it is a standard web/email server are through common script vulnerabilities. You also should take extra steps if you are running an email server to ensure you are not an open relay of any kind, the spammers will find you and suddenly all email coming from your server will get blacklisted.
Solution 2:
Couple of years ago I've created a user with a name consisted of two symbols. I haven't thought though that well experienced hacker that this account is was for could use his login as a password. Of course that machine was hacked in a week and when I asked the guy, what he was thinking, he told me that he wasn't aware that someone can check every possible short user name on the server and he knew for sure no one could get the list of users so he thought he was safe enough.
Hackers installed some kind of back door and probably used this machine to send spam. Luckily it wasn't such an important server so we just reinstalled OS on it.
Solution 3:
The hosting solution (unsupported dedicated server) was cheap and sounded cool, I didn't really know what I was doing, didn't keep the system up to date and I probably had done something bad with iptables/ipchains configuration. One day when backpacking around Western Europe I fired up the site and nothing was there.
My solution was to abandon everything and trust someone else until such a time that I'd gained more server admin experience; that was about 7 years ago and I still trust the other guy!