On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote: > I have some heavy suspect that my openbsd box was been hacked for the second > time in few weeks. The first time was been some weeks ago, I have got some > suspects and after few checks I have found that someone was been connected to > my vps via ssh on a non-standard port using my ssh key. The connection came > from a tor exit node. There were been 2 connections and up since 5 days. Now > I have some other new suspects because some private email seems knew from > others. Also I have found other open sessions on the web gui of my email > provider, but I am abolutely sure I have done the logout always.
If you see ssh sessions that shouldn't be there, kill those sessions. Then before they log in again, do whatever changes are required such as generating new keys, changing your password or similar, and of course clean up your sshd config. >From your (not very precise) description it could even be that a separate set >of binaries have been installed in addition to the system sshd. Look for those too. Basically, do not trust your system as it is. Wipe, reinstall and rebuild should be an option. For the webmail access, do change your password and if they support it, look into any multi-factor authentication options. Moving forward, learn how to read and interpret logs and for that matter packet captures. The information you have offered up does not give any indication how the suspected attackers got hold of enough information to get access (if indeed it is what happened). That information could possibly be found in your logs, but in my experience it is far more likely that somebody with access to the system made some stupid mistake such as clicking a link in a mailed webpage, speaking their password out loud within hearing distance of somebody with enough context information to be able to use it, or something else equally cringeworthy. Then your logs would only show a successful login, perhaps from somewhere unexpected, as the start of the compromise. I hope some of this stream of semi-random items is of some use. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
