My server was attacked
Unanswered
Cape lion posted this in #help-forum
Cape lionOP
So due to the recent RSC vulnerability, someone managed to achieve RCE on my server and ran a bunch of commands. The logs mostly show errors but some places I can see they've managed to create a couple of services. The application was just a casual hobby project used by me and my friends, so it's not very serious. But I still turned off the VM after collecting some logs. I can maybe share the logs but I'm afraid they might contain some sensitive info. It's about 2000 lines.
I want to know what I should do next, aside from upgrading to a patched version.
I want to know what I should do next, aside from upgrading to a patched version.
4 Replies
@Cape lion So due to the recent RSC vulnerability, someone managed to achieve RCE on my server and ran a bunch of commands. The logs mostly show errors but some places I can see they've managed to create a couple of services. The application was just a casual hobby project used by me and my friends, so it's not very serious. But I still turned off the VM after collecting some logs. I can maybe share the logs but I'm afraid they might contain some sensitive info. It's about 2000 lines.
I want to know what I should do next, aside from upgrading to a patched version.
Of course patch your stuff first, so no more attackers can join.
Then take down the server from the internet and build a secure tunnel to your server, so you can still access.
Then check the logs: what got actually installed. Whats currently running (esp. when it comes to crypto miners) and then cleanup step by step.
After that your server should be clean again and it should be fine to connect it to the internet again. Monitor changes. Monitor your server, the logs, ... maybe you missed something during cleanup, so its important to review this
Then take down the server from the internet and build a secure tunnel to your server, so you can still access.
ufw is your best friend in this case.Then check the logs: what got actually installed. Whats currently running (esp. when it comes to crypto miners) and then cleanup step by step.
After that your server should be clean again and it should be fine to connect it to the internet again. Monitor changes. Monitor your server, the logs, ... maybe you missed something during cleanup, so its important to review this
Cape lionOP
I dont have a lot of data on the server so I'm thinking of terminating it and making a new one.
Also after looking through the logs again and asking chatgpt, found out they did install and run crypto miners. Don't know what else they've done though, cuz I hadn't setup the web application properly to store logs 😬.
Also after looking through the logs again and asking chatgpt, found out they did install and run crypto miners. Don't know what else they've done though, cuz I hadn't setup the web application properly to store logs 😬.
uff yea... if there isnt a lot of stuff that you need, then reinstalling would be the fastest and cleanest way
@Cape lion I dont have a lot of data on the server so I'm thinking of terminating it and making a new one.
Also after looking through the logs again and asking chatgpt, found out they did install and run crypto miners. Don't know what else they've done though, cuz I hadn't setup the web application properly to store logs 😬.
Terminating is the fastest option imo.
Backup up whatevers imp -> Update Env -> Rehost it
Backup up whatevers imp -> Update Env -> Rehost it