Lost root password

F

FlorinMarian

Well-Known Member
Nov 13, 2017
88
4
48
29
Hi there !
Yesterday at about 20:00 i've reinstalled my proxmox version 4.4.13 and later i've upgraded many packages including Proxmox.
At about 03:00 today in the morning i've finished my actions on my PC and i left computer.
I hour ago when I arrived home i saw that i cannot use my root login details to login in web interface/winscp/putty. Also gameserver which is running on one VPS had all of processes stoped, like master server had a reboot.
I want to know:
- How can I detect if my server got hacked?
- It is possible to change automatically root password on reboot ? (i think there was a reboot because only today after root password reset i saw proxmox version it's 5.1)
- What should I check ?

Password was very complex because had small and big letters plus 4 special characters.
Thank you!

Syslog file content: http://gaming-area.ro/syslog.txt
Last command output to see if there it's any another login between 03:00 - 14:30
Code: 
root@s1:~# last
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 15:11   still logged in
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 14:55 - 14:57  (00:01)
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 14:53 - 14:55  (00:02)
root     tty1                          Sun Feb 18 14:52   still logged in
reboot   system boot  4.13.13-5-pve    Sun Feb 18 14:52   still running
reboot   system boot  4.13.13-5-pve    Sun Feb 18 14:41   still running
reboot   system boot  4.13.13-5-pve    Sun Feb 18 14:36   still running
root     tty1                          Sun Feb 18 05:36 - 05:37  (00:00)
reboot   system boot  4.13.13-5-pve    Sun Feb 18 05:36   still running
reboot   system boot  4.13.13-5-pve    Sun Feb 18 00:11 - 05:33  (05:21)
root     tty1                          Sun Feb 18 00:05 - crash  (00:06)
reboot   system boot  4.13.13-5-pve    Sun Feb 18 00:05 - 05:33  (05:28)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 23:00 - 23:11  (00:11)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 22:48 - 22:52  (00:04)
reboot   system boot  4.4.35-1-pve     Sat Feb 17 22:47 - 23:14  (00:27)
root     tty1                          Sat Feb 17 22:44 - down   (00:00)
reboot   system boot  4.4.35-1-pve     Sat Feb 17 22:44 - 22:44  (00:00)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 21:12 - 21:12  (00:00)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 21:08 - 21:09  (00:00)
root     pts/1        92.87.75.HIDDEN      Sat Feb 17 20:47 - 20:54  (00:07)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 20:45 - 21:08  (00:22)
reboot   system boot  4.4.35-1-pve     Sat Feb 17 20:44 - 22:29  (01:45)

wtmp begins Sat Feb 17 20:44:43 2018
 
My VPS server consumption it's 3-4 usage and server have 66-68%.
I didn't inserted any command after root password change with restart and i see there a gcc process.
What happen ? Everything it's crazy !
https://prnt.sc/igeauy
 
Lol...my server got hacked.
I don't know how but someone use it for mining.
http://prntscr.com/igewik

Edit: They hacked repositories? Look...before had version 4.4 and after upgrade i have 4.13.13, which is used since 05:36 when loader.sh appeared on system.

Code: 
reboot   system boot  4.4.35-1-pve     Sat Feb 17 20:44 - 22:29  (01:45)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 20:45 - 21:08  (00:22)
root     pts/1        92.87.75.HIDDEN      Sat Feb 17 20:47 - 20:54  (00:07)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 21:08 - 21:09  (00:00)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 21:12 - 21:12  (00:00)
reboot   system boot  4.4.35-1-pve     Sat Feb 17 22:44 - 22:44  (00:00)
root     tty1                          Sat Feb 17 22:44 - down   (00:00)
reboot   system boot  4.4.35-1-pve     Sat Feb 17 22:47 - 23:14  (00:27)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 22:48 - 22:52  (00:04)
root     pts/0        92.87.75.HIDDEN      Sat Feb 17 23:00 - 23:11  (00:11)
reboot   system boot  4.13.13-5-pve    Sun Feb 18 00:05 - 05:33  (05:28)
root     tty1                          Sun Feb 18 00:05 - crash  (00:06)
reboot   system boot  4.13.13-5-pve    Sun Feb 18 00:11 - 05:33  (05:21)
reboot   system boot  4.13.13-5-pve    Sun Feb 18 05:36   still running
root     tty1                          Sun Feb 18 05:36 - 05:37  (00:00)
reboot   system boot  4.13.13-5-pve    Sun Feb 18 14:36   still running
reboot   system boot  4.13.13-5-pve    Sun Feb 18 14:41   still running
reboot   system boot  4.13.13-5-pve    Sun Feb 18 14:52   still running
root     tty1                          Sun Feb 18 14:52   still logged in
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 14:53 - 14:55  (00:02)
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 14:55 - 14:57  (00:01)
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 15:11 - 15:28  (00:17)
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 15:43 - 15:48  (00:04)
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 16:38 - 16:43  (00:05)
root     pts/1        92.87.75.HIDDEN      Sun Feb 18 16:54   still logged in
 
Last edited:
if your server was hacked, i would nuke it and begin fresh, you will never know if there is still something in the system
 
dcsapak said:
if your server was hacked, i would nuke it and begin fresh, you will never know if there is still something in the system
Click to expand...
Thank you !
I already deleted whole content and i've installed directly version 5.1
But it's a bit weird because i don't know how they hacked my system after a fresh install.
Password was very strong like : [space]32432!@#[space].
 
You must log in or register to reply here.
Top Bottom