[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ProgSoc] I have just been hacked :(
Peter,
I'm assuming that you meant this to go back to the list, rather
than just me. Apologies if that wasn't the case.
On Wednesday 31 May 2006 2:37 pm, you wrote:
] I'm currently running Debian Sarge 3.1 with kernel 2.4.27-2-386, running
] apache2. It is also running proftpd, postfix, bind 9 and IPtables.
Hmmm. Dump your ftp server, for starters.
Does your firewall prevent visibility of port 25 from the outside
world? Actually, more to the point, what *do* you allow from outside
other than 80?
] Yes. I've gone through the ftp server (proftpd) logs, apache logs, auth
] logs, and they have shown that I was attacked between 3AM and 4AM.
As an aside, good forensics is facilitated by ensuring your time is
as accurate as possible, particularly if you have call to correlate
your logs with someone else's -- ntp is your friend here.
] Examining my login records, root doesnt appear to have been compromised.
] The perpetrator made an ftp account (starhack) for himself through my
] control panel (VHCS - www.vhcs.net) (after repeated attempts) and used
] that against me. Below is a section of the login records with the
] attackers time of access. Looking at the records, how is it possible to
] login to the terminal with ftp?
So you're on someone else's machine, or you run vhcs on your home
box?
If they made an account (is there one in the passwd file?) then
they aren't limited to FTP - they can telnet, ssh, etc. It's curious
that a normal account can write to the /var/www directory though,
as in a default install (from memory) you need to be a member of
the www-data group.
] starhack ftpd18913 sentry.local Wed May 31 03:04 - 03:04 (00:00)
] starhack ftpd18911 sentry.local Wed May 31 03:03 - 03:03 (00:00)
] starhack ftpd18905 sentry.local Wed May 31 03:03 - 03:03 (00:00)
] starhack ftpd18903 sentry.local Wed May 31 03:03 - 03:03 (00:00)
<snipped>
] I have also found the IP address of the intruder, and a whois shows it is
] from the netherlands. Probably the only way I'm going to fix this for now
] is ban the whole country.
A lot of people seem to be feeling that way about the Netherlands
lately, but it's probably not a good idea. How does VHCS facilitate
gaining unauthorised access into your system -- that's the more
pressing question here.
Jedd.
-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.