So yesterday I found out that my server was rooted via the h00lyshit exploit. So far I deleted all the files that might be asociated with the exploit. I also deleted all the ssh keys in ~/.ssh/authorized_keys. I changed the root password to 25 random character password and changed mysql passwords as well.
Also i think the attacker was from italy, and since i need to have access only from my country i blocked every ip range except my own country, will this help?
Do you guys have any good advice what i should do? I plan to disable root via ssh (i should have done it much sooner, I know 🙁 ). And is there a way to check if he can access my server again?
Also no damage was done luckyly, oh an i'm running Debian Lenny with 2.6.26 kernel if somebody is interested.
PS: yay my first question 😀
Best Answer
You should restore the server from a known good backup. There's no real way to know that no other back doors were installed is there?