EvilZone

Hacking and Security => Beginner's Corner => : Archlnx April 22, 2015, 04:07:48 PM

: Find the IP of those who rooted my server
: Archlnx April 22, 2015, 04:07:48 PM

Hi,  I was curious if there was any way of being able to tell who has rooted my server?  This person was able to get ssh access and I would like to find the users IP or set up almost a honey pot type of thing on the server to possibly catch whoever it is (even though the chances are very high they had a VPN on?)   If that isn't possible I would still like to manage to get root access back and any back doors that may of been installed taken off.   Any advice or help I'd appreciate!

: Re: Any way to find the IP rooted server?
: Phage April 22, 2015, 04:17:04 PM

Would've been great with some more information...

Here's where to check for ssh logins.

Ubuntu:

:

/var/log/auth
RedHat:

:

/var/log/secure
Also, to re-gain access, simply open the console at your host provider. If you don't feel like going through your current server's security (which you should), you can simply install a fresh image of whatever distro you'd like.

: Re: Any way to find the IP rooted server?
: Archlnx April 22, 2015, 04:33:50 PM

Sorry I'll try to be a little more specific.   My server OS is CentOS, it's a VPS server,  and I'm almost a hundred percent sure there's a back door.   My server name changed to 'jailroot'  after it happened.. I checked the history log and they had to of entered at least 200+ commands on there.   But thank you for the response, I  will reinstall a new image.   :)