[Gllug] hacked !
mallum
breakfast at 10.am
Fri Nov 30 00:26:19 UTC 2001
Apparently they got in via an old version of ssh and then got root via
a kernel exploit - kernel was old too :( . Feel a bit gutted I didn't
spend more time looking after the box, *sigh* - at least I'll learn from my
mistakes.
My contract with rackspace ends at the end of the year and Im gonna
move to a colo over here ( probably blackcat ) and not share the box
anymore. Im also gonna switch to debian as I know it alot better than
redhat ( rackspace use redhat ) and I can stick with stable and run
with the security 'apt-able' updates. I'll also beef up the box a
little with snort and tripwire.
BTW they also cracked 10.am but there page never showed up do to my
mod_rewrite voodoo. A copy of its here[1], it appears to be from another
group and is quite political.
Rackspace were pretty helpful, upgrading the non secure bits on the
box and running some checksum on it which meant apparently its not
rootkitted. Its not entirely practical to do a rebuild with the box
being in Texas, us probably getting charged for it and other
reasons I dont really want to go into here. Also with only month to go
Im not too bothered, I backed my data up and Im not gonna need to log
into it again.
-- mallum
[1] http://10.am/img/indexhacked.html
on Thu, Nov 29, 2001 at 01:26:20PM +0000, ab wrote:
> Wonder if you will have the time for an "attack profile".
> would be interesting to know how they got in.
> Of course this takes time.....
>
> /Anthony/
>
> mallum wrote:
>
> > Arg, my colo box at rackspace that I share with a friend was hacked
> > last night - see http://mallum.com , though they seem to have left my
> > main site there ( http://10.am ) alone.
> >
> > The box was never a fortress, it only used to have httpd and ssh open
> > on it - though it seems my friend has opened a load of other up :(
> >
> > Im gonna copy all my stuff down and recommend to my friend we rebuild
> > the box from scratch ... any other advice ?
> >
> > -- mallum
> >
> > --
> > Gllug mailing list - Gllug at linux.co.uk
> > http://list.ftech.net/mailman/listinfo/gllug
>
>
> --
> Gllug mailing list - Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list