So I'm pretty sure that my home Apache2 server got hacked. This is in a VM running on my server. I was using this server as a https proxy/reverse-proxy for my other applications I have running at home.
What happened was that I created a too small disk and that got full. Then, it got full and my unattended upgrades weren't running anymore. I was stuck at apache 2.4.38. That's completely my fault.
What I noticed was that on one of my subdomains I got a page displaying a default InteractSH server message. I never installed this interactSH server. So I got to work and just found out that the subdomain in question is somehow magically being routed to a malicious IP. (It's also marked as malicious over at maltiverse.com).
I want to know a few things:
- Where on earth does this routing take place?
- What has likely been compromised?
- How do I find out for how long I've been compromised?
On the first questions, I use a direct IP address to connect the apache2 server to my backed server. "ip route list" shows nothing. My hosts file shows nothing either. This is what my config looks like:
<VirtualHost *:443>
ServerName subdomain.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/subdomain.error.log
CustomLog ${APACHE_LOG_DIR}/subdomain.access.log combined
Header always set Strict-Transport-Security "max-age=1552000; includeSubDomains"
<Location />
ProxyPass http://192.168.my.local.ip/
ProxyPassReverse http://192.168.my.local.ip/
</Location>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/path...
SSLCertificatKeyFile /etc/path...
</VirtualHost>
On the second questions, I don't know what they could have done over the last while. In theory they could have snooped all my traffic couldn't they? Or could have stolen my SSL certificates.
Can anyone give me some leads or support on what to do?
Regards,
TTheCreator
