Understanding suspicious SSH commands

Question

I have a dedicated hosting server that has few websites running. I recently accessed my server thru terminal cmd line and noticed that the last few commands that were executed look suspicious and I'm not sure what to do. Below is the list of commands that were run:

iptables -L -nv
apt update
yum install nmap
nmap -Ss -O 89.169.183.2
nmap -sS -O 89.169.183.2
nmap -O 89.169.183.2

Anyone have any idea what these commands mean and what type of action I should take on the server? Should I uninstall 'nmap'? If so, how? Note: The IP address traces to somewhere in Russia.

Answer 1

The person has used iptables to investigate your firewall rules, and yum to install nmap. This has been done as root.

nmap is a tool for remotely investigating the state of another machine's network capabilities, broadly speaking.

It allows a person to find open ports and to scan for characteristics of a remote host, and to possibly determine what operating system someone else is using on their machine (this is what the -O flag does, and it requires root permissions).

The nmap utility is in itself not a dangerous tool, but you should be aware that someone (that you don't know) has had access to the root account on your machine.

If you, or another legitimate admin, did not type in those commands, then your machine has been compromised.

In that case, it does not belong to you anymore and you can not trust anything on it.

See "How do I deal with a compromised server?" over at ServerFault. Also, depending on who you are and where you are, you may have a legal obligation to report this to authorities. This is the case in Sweden if you work in a state agency (such as a university for example).

Answer 2

If you wish to remove nmap, you can do so with

yum remove nmap

This would have limited utility, as if others are able to get a shell with administrative privileges on your machine, they can always reinstall any tool they wish.

Per the manual page for nmap(1), the -O option enables operating system detection of the targeted address[es]. The -sS option provides TCP SYN connect testing only, and the -Ss was probably just a typo by the user. The intent seems to be to use your machine to scan the target IP in preparation for further attacks.

There is nothing in the commands listed that is particularly troubling except that someone was able to run them on your machine without your knowledge, which would lead me to wipe the server and perform a fresh install. You should at least check the system logs to determine where someone logged in from during the time that command history was generated.

Answer 3

iptables -L -nv

This outputs your firewall configuration.

apt update
yum install nmap

This installs the tool nmap, which is a powerful port scanner, very useful.

nmap -Ss -O 89.169.183.2
nmap -O 89.169.183.2

These commands scan the computer at IP address 89.169.183.2. The -Ss is looking for open TCP ports and the -O tries to identify that computer's operating system and version.

Anyone have any idea what these commands mean and what type of action I should take on the server?

You need to immediately contact your hosting service provider and see if their sysadmin staff are responsible for these commands being run on your server. If they are positive that it was their doing, you can ask them nicely to inform you in the future when they use root on your system, but everything's OK.

If the hosting service provider tells you that none of their staff have executed commands as root on your system, you need to inform them that the system was hacked, and then either get them to help you restore it to a known good backup made before the system was compromised, or (preferably) burn it to the ground and rebuild it from scratch.

Never use whatever you were using for root password on this system for anything, ever again.