Debain 12.4 server hacked via ssh pw login – what was it?
A few days ago may server was hacked and crashed via Out of memory. In the auth.log i discovered my password as username. So my pw was stolen. I got a lot of successful logins from many ips in my auth.log!
Source of my pw i guess:
I had saved the password of the debain server on a Windows 10 computer in WinSCP (which of course you should not do). The Windows computer was full of malware, I later realized
The malware on my debain 12.4 system left whitecat in /usr/bin the bash was reset and all ssh keys.
in addition a strange entry in /etc/passwd:
htop:x:0:0:root:/root:/bin/bash
My leaked password is: fjgurdk7824! (I changed it now)
Maybe some one can find it in a database of leaked pw.
None of the files were encrypted from the malware. I removed as much as possible from the debain machine which seemed strange to me. I also checked the server with chkrootkit. nothing found
I think it was a crpytominer because the system was completely overloaded and crashed.
I have deactivated password login, only login via pub key.
I will gladly post further system information
Do you have any idea what kind of malware it was?
Here a the newest entries of /usr/bin
95037404 2380 -rwxr-xr-x 1 root root 2434784 6. Feb 18:38 qemu-nbd
95037402 2180 -rwxr-xr-x 1 root root 2231840 6. Feb 18:38 qemu-io
95037401 2236 -rwxr-xr-x 1 root root 2288608 6. Feb 18:38 qemu-img
95037757 0 lrwxrwxrwx 1 root root 18 6. Feb 18:38 kvm -> qemu-system-x86_64
95048428 72 -rwxr-xr-x 1 root root 72248 12. Feb 17:28 nsupdate
95030029 116 -rwxr-xr-x 1 root root 117496 12. Feb 17:28 nslookup
95030003 48 -rwxr-xr-x 1 root root 47440 12. Feb 17:28 mdig
95048317 116 -rwxr-xr-x 1 root root 117456 12. Feb 17:28 host
95029964 20 -rwxr-xr-x 1 root root 18768 12. Feb 17:28 dnstap-read
95027888 140 -rwxr-xr-x 1 root root 142104 12. Feb 17:28 dig
95027651 44 -rwxr-xr-x 1 root root 41784 12. Feb 17:28 delv