Web site hacking

[benos]

Today has been a nightmare... Logged on this morning to find Burkett's server down. BigJoni got that fixed, my site was back up and running, then we checked Burkett's site to find that it had been hacked, and his index page was replaced by some a-hole with anti Bush/War message. Now I'm guessing it was targeted because of the gun thing, and I'm also guessing I could be next...

So I spent the morning changing passwords and such but I'm guessing that's to little effect.

I've been working around the clock lately, building a new store for all my products, which must be finished before I can move my site off Burkett's server. I was planning to have it done within a month or two, but now I'm thinking I need step it up another notch.

I'd appreciate any info that might help me keep my site secure.

Thanks!

be

[shred]

Make more backups. But keep the old ones around too in case whoever hacked it got into the new ones in some un-obvious manner. Depending on how they got in, you're either OK (if they guessed a password or something), or in trouble (if it's a server secuity hole) until Matt fixes it..

[davidwiz]

BE - As of this post, MB's home page is still defaced. I believe it is just the home page and not the rest of the site. Doing a quick search on one of the 'net search engines, the hackers seems to have defaced a wide-range of web sites for the past several months.

Qualys offers an auditing/monitoring tool to see if a site is vulnerable to defacement.

Gilian Technologies offers a product called the G-Server that they guarantee will prevent defaced/hacked web pages from ever being displayed.

The CERT Coordination Center is the pre-eminent computer security/resource group in the country. Has lots of info on various vulnerabilities and fixes.

The NIST Computer Security Resource Center has good info too.

[bberkley]

First of all, what server OS is running? Is the machine Linux, one of the BSD's, or (and I doubt) Windoze?

I highly recommend SNORT as an intrusion detection system.

If the machine is a Linux derivative, there should be a notification system from the distribution maintainers for bug fixes, and a way to quickly download them and install them.

It could be something as mundane as a cgi app with permissions problems, or a directory with write access granted when it shouldn't have been.

There are so many ways to root a system, and once you have lots of other services running like mySql, php, smtp, ftp, web server, etc. there are lots of points of entry.

I've been using Linux for about 7 years, and am also a quasi-professional computer geek. Let me know if you need specific assistance.

Brian

[mulder]

If that is an anti war statement then they cannot express their views very well. Spelling is terrible and they quote sayings from the Survivor series. One warped puppy if you ask me.

Oh buy the way if you catch them and need help shoving their computer up their you know where just drop me a line. I will be glad to help.

David

PS no lubrication will be used!

[rboudrie]

The more services and ports you have available on a system, the greater the vulnerability to hacking. This is why the USPSa on-llise credit card systems use specialty vendors which deal in secure commerce (that way, I don't have to worry about contacting card members if uspsa.org is hacked).

Another interesting package is "tripwire", which is used on Linux to determine if any packages have been changed - since the irst thing done after rooing a system is to replace several of the commands which would show the presence of an addiitonal logged in user.

[vincent]

A little snooping let me figure out that Mattburkett.com and brianenos.com are running on a Cobalt RaQ3 server. These are pretty "old" (in Internet time) and therefore have a big list of exploits listed against it depending on the revision level of the installed software. It is basically a Linux box, but with a user friendly web front end to allow less technical users to administer their stuff.

The security of your site is based on the security of the server. Since Matt's site was hacked your site is vulnerable too and there is not much you can do. Fixing these holes is a job of the system administrator.

I would recommend looking into the patch level of the system. Sun bought Cobalt a while back so patches are listed on Sun's website. However I think this product was "end of life'd" (EOL) so the official patches may not be up to date.

http://sunsolve.sun.com/pub-cgi/show.pl?ta...g&nav=patchpage

I think the RaQ3 can be upgraded to the RaQ550 software with some work and this product is still supported so better patches will be available.

Another option is to use one of the Cobalt support sites that have sprung up to support these servers since they got EOL'd. For example,

http://www.cobaltsupport.com/

In the meantime back up your site content regularly and as suggested keep each backup separate to give yourself more copies to choose from in the event of a problem. Hopefully this jerk was not too destructive to the box. If he ony messed with Matt's site and didn't figure out that there were a number of other website's hosted it may not be too bad.

I'm not a "security expert", but have 10 years experience in internet services. Drop me an email or PM if I can help. I called Matt at this 866gunddvds number and left my cell phone number on his voicemail too.

-Vincent

[benos]

Thanks for all the great info guys. Unfortunately Matt's out of town in super remote location... I've left messages and sent emails but as of now no reply. I'll send him this thread...

I should have my new store completed which will allow me to move my site off Burkett's server within a month. Been working around the clock on it lately, and now with this I'm bumping it up even more.

Again thanks.

be

[Ron Ankeny]

Unfortunately, remote users can get into a RaQ3 via ftp using one of the default accounts if the administrator doesn't pay attention to business. It's a pretty easy "hack".

[MattBurkett]

Well back in town to find this crap going on. It appears that they only had access to my ftp account which is separate from the admin (root and su) accounts. Nothing else has been touched or moved according to the logs and some other forensics. There has been no shell access etc..

Just an FYI - no secure data such as credit cards ever goes through my machines only the banks. I didn't want to be liable for any loss of information that way. Brian's site is set up the same way and it (like mine) offloads the credit cards to a secure server with Authorize.net

Due to a recent move, we will be closing the internet services part of the business. Estimated shutdown date is Sept. 30th. We are recommending that anyone with us, go to 1and1.com for hosting. If you go to http://www.burkettvideo.com and click the link at the bottom of the left side, it will get you there. They have one hell of an impressive setup.

Thanks for the concerns guys and yes, this is a pain in the ass.

[Nik Habicht]

Due to a recent move, we will be closing the internet services part of the business.

Matt,

you didn;t defect to Austria, did you? If so you need to start shooting for Glock....

[Deuce]

Nearly 2 months after I signed up AND cancelled with 1&1, they're still trying to charge my cc. I've had to report their fraudulent activity to my cc company. I've sent them another email indicating such ... of course, no response.

Obviously your experience with them is much different than mine. The whole reason I had to cancel their service was they couldn't even send an email to my ISP account.

I presume, with your recommendation, that you, at least, know somebody over there. Maybe you could ask them, on my behalf, to stop charging anyone who's already cancelled their account.

Thanks.

[Rob Boudrie]

USPSA rents a dedicated server from www.ev1servers.net - if someone with a heavy traffic shooting related site wants to rent some of the server on a cost-sharing basis, and is interested in a Linux system with Apache/Perl/Cgi/PGP/MySQL/Cpanel/Telnet/ssh/shell, let me know. I'm not setting USPSA up as an ISP or running this as a business - just cost sharing since we have some excess capacity. And, this will not involve billing your credit card so there is no chance of "problems cancelling."

[MattBurkett]

Wow, Duece, haven't had anyone with an experience like that. Sorry to hear of it.

Rob, sounds like a good deal.

Nik, no the move was just about a mile from the old house. A much needed upgrade to Casa de Burkett.

[benos]

Matt,

Any idea what method was used - port, FTP?

be

[MattBurkett]

It looks like it was an FTP account that got hacked. BTW we will be putting a new server in a hardened colo so we don't have to close that end of the business.

Thanks for all the concern - everything seems to be fixed up and happy.

Take care,

Matt

[robomanusa]

I have noticed the hack attempts on my webserver getting more and more numerous over the last 3 weeks. I am not sure as to the reason why all of a sudden we have an assload of folks trying the hacking attempts...my guess is someone has found a new exploit somewhere and every script kiddy on the net is playing around to try it. I have only ever used Redhat for a server, never allow telnet from via outside the network and give very few accounts ssh access although all my users I allow FTP which I use PureFTP as the server daemon which is based off of the old TROLL daemon and has always been very secure and has never given me any problems....knock on wood.

[Rob Boudrie]

It looks like it was an FTP account that got hacked. BTW we will be putting a new server in a hardened colo so we don't have to close that end of the business.

Thanks for all the concern - everything seems to be fixed up and happy.

Take care,

Matt

If you need a dedicated server, it's hard to beat the combination of price and features at www.ev1servers.net - you can get dedicated servers starting at $99; fairly nice systems for $149; or a virtual server good for all but the largest of sites for $39/month. And yes, you get root/shell/telnet/ssh access. They even offered "umetered traffic" systems (for those sites with the typical "high volume" of traffic, if you know what I mean). The systems have backup power and multi-vendor internet connectivity.

The only "catch" is that the systems are self managed (EV1 tech support provides decent assistance, but they expect you already know what you are doing), and you have to do your own backups. Bandwidth allowances are huge - USPSA.ORG, 4 of the USPSA area sites, and a number of sites we sublet out to help pay the $149/month bill barely scratches the surface of our 1400 GB traffic allowance.

The EV1 monitoring system sends a text message to my cellphone if the http port stops responding. We've had pretty good luck lately - 121 days, 16 minutes since the last reboot.

Unless you're prepared to drive to the server farm on a moment's notice, "dedicated but rented" beats colo, as your provider will repair or replace broken hardware.

[robomanusa]

your uptime isnt too shabby.

here is mine...Im hoping to make it atleast a year.

[root@robomansworld root]# uptime

3:02am up 220 days, 2:09, 1 user, load average: 0.06, 0.03, 0.00

[root@robomansworld root]#

[Rob Boudrie]

I was up over 200 days when we had a server at the now-defunct allvertical.com.

I'm hoping for a year as well, and will have some real thinking to do when a kernel update or need to additional hardware imposes the need for a scheduled reboot.

[robomanusa]

Unless you need to compile a new kernel for a security fix, I wouldnt worry about it too much. Thats why I havent updated the kernel on my redhat machine as the last one from redhat was only for USB enhancements(dont need those for webserver) so why waste my time building and compiling a new kernel.

200 days is good when your machine is colo or dedicated machine at an isp or hosting company, but my 200 days is on a server I run right here from my home sitting 2 feet from me. So if I make it a whole year without reboot thats pretty damn awsome.