sshd cracked system compromised

Support for security such as Firewalls and securing linux
Post Reply
Posts: 3
Joined: 2020/04/21 22:20:53

sshd cracked system compromised

Post by mbelleville » 2020/04/21 22:41:46

Running CentOS 7 as a KVM server, sshd is exposed to the internet on a nonconventional port (not 22). System was not updated for quite a while. Attack occurred while running kernel:

uname -a
Linux hpkvm.localdomain 3.10.0-229.1.2.el7.x86_64 #1 SMP Fri Mar 27 03:04:26 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Root account was compromised and password changed. I was unable to login to the system. System completely locked up PFSense firewall trying to ssh into other systems on the internet I regained control by booting into emergency mode, following below instructions, and reset root and user passwords to new values

I then rebooted and was able to login normally. kswapd0 was running at 100% after reboot. I did a yum update which updated both sshd and kernel, which I hoped would clear whatever the infection was. New kernel is:

uname -a
Linux hpkvm.localdomain 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

kswapd0 continued to run at 100% even after update and reboot. I was unable to change this by troubleshooting and trying various recommendations found online. After running for 16 hours system again locked up PFSense firewall with a flood of ssh outbound attempts.

I would like to regain control of system and clear infection without doing a complete reinstall if possible. System runs 20 KVM virtual machines all running off an LVM partition of the primary hard drive. Hoping I don't have to back them all up to external hard drive, do a full reinstall, and then load them all up again.

Any advice would be appreciated...

User avatar
Forum Moderator
Posts: 30160
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: sshd cracked system compromised

Post by TrevorH » 2020/04/22 00:04:34

Sorry but you can never trust that system again until it is reinstalled. You have no idea how many ways they have installed of regaining access. The only way to be sure, is to reinstall it and start over. I know that's not the news you were hoping to get but any other course of action will always have a question mark hanging over it.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”