Ubuntu Server Hacked — What I can do to figure out how and to prevent it?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?



There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.



It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.



htop shows this:



htop screenshot



top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.



The Apache and all the other logs are showing some activity. I can see a link to some porn site here:



link to porn screenshot



The MySQL log shows that it has shut down:



MySQL log screenshot



And these are the graphs:



graphs screenshot



Another weird thing in the Apache access log is this entry:



Apache access log screenshot



Here are the two entries in text format:



103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"


and



51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/


Any ideas or suggestions are welcome.










share|improve this question




















  • 1





    The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.

    – JakeGould
    Feb 3 at 1:16






  • 1





    Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.

    – davidgo
    Feb 3 at 1:22











  • Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.

    – K7AAY
    Feb 4 at 19:37


















1















My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?



There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.



It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.



htop shows this:



htop screenshot



top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.



The Apache and all the other logs are showing some activity. I can see a link to some porn site here:



link to porn screenshot



The MySQL log shows that it has shut down:



MySQL log screenshot



And these are the graphs:



graphs screenshot



Another weird thing in the Apache access log is this entry:



Apache access log screenshot



Here are the two entries in text format:



103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"


and



51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/


Any ideas or suggestions are welcome.










share|improve this question




















  • 1





    The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.

    – JakeGould
    Feb 3 at 1:16






  • 1





    Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.

    – davidgo
    Feb 3 at 1:22











  • Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.

    – K7AAY
    Feb 4 at 19:37














1












1








1








My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?



There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.



It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.



htop shows this:



htop screenshot



top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.



The Apache and all the other logs are showing some activity. I can see a link to some porn site here:



link to porn screenshot



The MySQL log shows that it has shut down:



MySQL log screenshot



And these are the graphs:



graphs screenshot



Another weird thing in the Apache access log is this entry:



Apache access log screenshot



Here are the two entries in text format:



103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"


and



51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/


Any ideas or suggestions are welcome.










share|improve this question
















My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?



There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.



It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.



htop shows this:



htop screenshot



top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.



The Apache and all the other logs are showing some activity. I can see a link to some porn site here:



link to porn screenshot



The MySQL log shows that it has shut down:



MySQL log screenshot



And these are the graphs:



graphs screenshot



Another weird thing in the Apache access log is this entry:



Apache access log screenshot



Here are the two entries in text format:



103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"


and



51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/


Any ideas or suggestions are welcome.







ubuntu security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 3 at 1:13









JakeGould

32.7k10100142




32.7k10100142










asked Feb 2 at 11:00









Apps ForceApps Force

194




194








  • 1





    The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.

    – JakeGould
    Feb 3 at 1:16






  • 1





    Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.

    – davidgo
    Feb 3 at 1:22











  • Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.

    – K7AAY
    Feb 4 at 19:37














  • 1





    The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.

    – JakeGould
    Feb 3 at 1:16






  • 1





    Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.

    – davidgo
    Feb 3 at 1:22











  • Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.

    – K7AAY
    Feb 4 at 19:37








1




1





The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.

– JakeGould
Feb 3 at 1:16





The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.

– JakeGould
Feb 3 at 1:16




1




1





Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.

– davidgo
Feb 3 at 1:22





Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.

– davidgo
Feb 3 at 1:22













Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.

– K7AAY
Feb 4 at 19:37





Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.

– K7AAY
Feb 4 at 19:37










1 Answer
1






active

oldest

votes


















0














The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...






share|improve this answer
























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401290%2fubuntu-server-hacked-what-i-can-do-to-figure-out-how-and-to-prevent-it%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...






    share|improve this answer




























      0














      The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...






      share|improve this answer


























        0












        0








        0







        The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...






        share|improve this answer













        The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 4 at 19:25









        n0den0de

        11




        11






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401290%2fubuntu-server-hacked-what-i-can-do-to-figure-out-how-and-to-prevent-it%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Plaza Victoria

            Puebla de Zaragoza

            Musa