Some annoying brat is shutting down my server via SSH.

[ErnestGaskin]

Hello there

so i have a vps. Its a kimsufi in OVH, running win s 08 r2. I am totaly incopetent and fairly stupid.

about two weeks ago, my server has started to restart unexpectedly every few hours, and after a few days shut down completely.

when i got it out of the winrescue, i found out an user is logging in, SvcopSSH or something like that. Googling it for a while, i found out its a windows user for ssh (duh).

i changed the password for svcopssh in windows user management, to 16 characters. It seemed fine, though i had no idea whether i actually changed the ssh password as well (putty telling me connection was refused).

Now the bastard was back and i got rebooted _yet again_. Im desperate, i have no idea what to do anymore - im battling a foe on a field i know nothing about.

Could anyone suggest anything, in the simplest possible way?

 

[REAK]

Check your local system for Malicious software and keyloggers,

Change OVH details .., change your email password.

If you dont use i guess you can disable COPSSH if you dont use it.

 

[ErnestGaskin]

Thanks for the reply.

account is deleted and im running av (clamwin on the server, avast on all the local machines - hope thats enough) for the other things.

im gonna check with the provider when all this is done.

thanks again.

 

[REAK]

Also , use a firewall and block all ports that you don't use especially 22 (if you have no use for SSH).

 

[ErnestGaskin]

Alright all done.

I blocked 22 specifically, because i need to first find out whether this solves the issue, if it survives for say 24h without a reboot, ill block all the ports and proceed to allow the ones im using.

Thanks again, ill report the results.

 

[Peter South]

Better than block just the IP

On my Linux Servers I run fail2ban, and from time to time I see some knucklehead from China trying to brute force into my server (fail2ban doesn't let this go on long). I then check the WHOIS record of the IP address, and if its not a big fat wide range I just block out the whole range.

For the type of operations that my sites do we really aren't looking to make any sales in China so I probably should just block all of China out (which some file hosting sites do from what I'm told)

 

[JoomlaZ]

^ yea block the country. its kinda junk traffic mainly

 

[Gaaa]

You can use an other port too, but SSH server under Windows is useless right ? Telnet is not enough ?

 

[EarthVPN]

If you still see issues it may be better to reinstall the operating system as the attacker might already install a rootkit.

 

[ErnestGaskin]

i tried almost everything and capitulated in the end,
rescuing all my files and rented an another server.

i know i know, by doing that i have let the annoying brat win,
but there is a time and place for everything
and the time and place for me to be battling pubescent chinesse hackers
is gonna be
when im old, i cant get girls anymore and/or i dictate a small country with
its own nuclear arsenal.

 

[SplitIce]

Basic steps:

1. Find out how he/she got your login details. Find out the problem before proceeding.
2. patch the problem,this may be as simple as changing the password on another site or as complicated as patching an exploit in a peice of software.
3. ensure there are no rootkits or similar nasties
4. change your account password.
5. Restrict ssh to your own IP range, or if you use mobile devices / connect from work limit atleast to your own country. I often also allow United States as most Geo databases default to the states if they cant match an IP.


No warranty implied if you cause the next world war with your actions don't blame me.

 

[Bharat]

Well firstly i would recommend to disallow the root user from logging in over SSH and create a separate SSH enabled user with this privilege. By disabling the root user you've already significantly lessened the chances of someone brute forcing in over SSH as they now can't login via root .

 

[DLow]

If you want u can secure ssh for you and scan the server for malware send me a pm and ill do it this evening

 

[l0calh0st]

A hacker wouldn't just shut down your server.

- Hacker will destroy your server and erase all data. = This is not the case as everything is intact.
- Hacker will steal stuff on your server. = This is not the case because he will do anything to stay unnoticed.

It could be a software issue.

 

[SplitIce]

A troll hacker (aka someone you know) would :P

 

[Galex]

Also , use a firewall and block all ports that you don't use especially 22 (if you have no use for SSH).

Do that or change your ssh port to something random + block every IP on that port and white list your home's IP address if its static..

 

[Gaaa]

I know in linux you can set « AllowUsers » with users accepted-only to connect @server, maybe you can with windows ?

 

[ACiD_CORE]

hmm just disable via iptables access to ssh and only allow you ?