Code Leak Update
So, we found a log that they did not know about that detailed very clearly what the person did! We even have some information about the origin of the hacker as well ( whether they were router bouncing or not is undetermined yet ). Long story short, they found out that our
'git' user has a blank password ( big no no.... I know but we had passwords disabled and SSH auth. only, or so we thought )
We found out that our system was setup to use SSH but that if the SSH failed enough it would revert back to letting them use a password. At that time they gained access and installed the rootkits and scripts. We found they got more or less nothing of importance and that it most likely was a test to see if it worked. Good news is this little setback taught us alot about security and how to control our important assets. Im not saying we are hacker proof ( trust me, we are not ) but we are certainly more aware and conscious of the effects of leaving things up to chance.
If you are not using a hosted server remember the following:
1) Change all default passwords
2) Disable or delete accounts not in use
3) Change all passwords regularly, ensure they are 14 characters or longer
4) Perform routine checks on all systems to ensure that everything is on the up and up.
5) lastly, study up. Knowing the most common way hackers hack will help you defend against them.
6) Ensure any software running on your server is kept up-to-date. It's unfortunately very common for hacks -- especially the automated or semi-automated variety -- to take advantage of vulnerabilities in out-dated software that have actually been fixed in more recent versions. Unless it's marked as "critical" I don't normally like to install updates immediately after release in case they are found to cause additional problems, but allowing your software to get out of date is really just inviting easily avoidable trouble
And for those wondering, the offending IP? ( least one of them we found )
188.8.131.52 - Damn russians!