[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ProgSoc] I have just been hacked :(



 Peter,

 I'm assuming that you meant this to go back to the list, rather
 than just me.  Apologies if that wasn't the case.

On Wednesday 31 May 2006 2:37 pm, you wrote:
 ] I'm currently running Debian Sarge 3.1 with kernel 2.4.27-2-386, running
 ] apache2. It is also running proftpd, postfix, bind 9 and IPtables.

 Hmmm.  Dump your ftp server, for starters.

 Does your firewall prevent visibility of port 25 from the outside
 world?  Actually, more to the point, what *do* you allow from outside
 other than 80?

 ] Yes. I've gone through the ftp server (proftpd) logs, apache logs, auth
 ] logs, and they have shown that I was attacked between 3AM and 4AM.

 As an aside, good forensics is facilitated by ensuring your time is
 as accurate as possible, particularly if you have call to correlate
 your logs with someone else's -- ntp is your friend here.

 ] Examining my login records, root doesnt appear to have been compromised.
 ] The  perpetrator made an ftp account (starhack) for himself through my
 ] control panel (VHCS - www.vhcs.net) (after repeated attempts) and used
 ] that against me. Below is a section of the login records with the
 ] attackers time of access. Looking at the records, how is it possible to
 ] login to the terminal with ftp?

 So you're on someone else's machine, or you run vhcs on your home
 box?  

 If they made an account (is there one in the passwd file?) then
 they aren't limited to FTP - they can telnet, ssh, etc.  It's curious
 that a normal account can write to the /var/www directory though,
 as in a default install (from memory) you need to be a member of
 the www-data group.

 ] starhack ftpd18913    sentry.local     Wed May 31 03:04 - 03:04  (00:00)
 ] starhack ftpd18911    sentry.local     Wed May 31 03:03 - 03:03  (00:00)
 ] starhack ftpd18905    sentry.local     Wed May 31 03:03 - 03:03  (00:00)
 ] starhack ftpd18903    sentry.local     Wed May 31 03:03 - 03:03  (00:00)
 <snipped>
 ] I have also found the IP address of the intruder, and a whois shows it is
 ] from the netherlands. Probably the only way I'm going to fix this for now
 ] is ban the whole country.

 A lot of people seem to be feeling that way about the Netherlands
 lately, but it's probably not a good idea.  How does VHCS facilitate
 gaining unauthorised access into your system -- that's the more
 pressing question here.

 Jedd.


-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.