Quote:
Originally Posted by Xenerox
i looked, he made sure no to leave ANY evidence behind
|
Did he/she get root access to your server? That's the only way I can see that they'd be able to remove all traces of their actions.
Forgive me if you have already done this, but I assume that since your server was compromised in the first place, that you didn't know this before. Also, I'm assuming you're running a linux server if your's is a dedicated server. There's a few things you can do to lock it down:
- Disable SSHd. If this isn't possible, you can limit the usernames that are allowed to log into the server in your sshd_config.
- Disable remote access to MySQL in your my.cnf file. Make it listen on 127.0.0.1 and set up a tunnel through ssh so you're required to be logged in with an ssh client before you can access mysql.
- Disable your web administration interface (the eq one). Do whatever changes you need through ssh or a remote desktop interface.
- Make sure telnet is disabled in your eqemu_config.xml file.
- Make sure your disablecommandline is set to 0 in your variables table. (not sure if this still exists)
- Ensure your eqemu processes are being run by a non-root user, possibly one that doesn't have access to sudo, or a very limited set.
- Disable the root account (possible with ubuntu at least, possibly with other flavours of linux too I think).
- Ensure your server's operating system is updated.
- Install DenyHosts to reduce the likelihood of a brute force attack.
- Ensure your webserver's up to date and secure if it's running on the same machine. I won't go into the details here for that.
- Finally, beef up the security on your passwords. If there are multiple accounts that can log into the server, you can force them to change their passwords periodically.
I'll also add that I'm not a professional server admin, it's just a hobby, so I know there are at least a few more things you can do to secure it, I just don't know how to do it (ie chroot).