[BlueOnyx:01821] Re: Second Server Hacked

Steve Davis steve at zio.com
Sun Jul 26 12:37:39 -05 2009 

Chris,

Thats a good point about guessing the password, 12 characters strong.  
There were no user accounts.  I have had others inspect the box, with  
root access, and they could not find the exploit. Greg Kunhert did  
find some web based exploits that I cannot explain, but he mentioned  
may or may not be the reason it was hacked.

No idea on the exploit, or how the box has been compromised. This new  
box had no domains on it nor any web sites.

There is no log of a logon, but the allow-hosts file had dozens of  
illegal ip's.

I am going to rebuild, from start, with a new root password and we  
shall see.

Steve



On Jul 26, 2009, at 11:00 AM, blueonyx-request at blueonyx.it wrote:

> Message: 4
> Date: Sun, 26 Jul 2009 07:45:23 -0500
> From: Chris Gebhardt - VIRTBIZ Internet <cobaltfacts at virtbiz.com>
> Subject: [BlueOnyx:01820] Re: Second Server Hacked
> To: BlueOnyx General Mailing List <blueonyx at blueonyx.it>
> Message-ID: <4A6C4FE3.8040209 at virtbiz.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Steve Davis wrote:
>> It was a new BX install, i had some mitigation installed, like dfix
>> and denyhosts.
>>
>> No sites, I believe the need for default security that Michael and
>> Greg talked about in other posts is critical to BX success.
>
> Steve,
> Can you give us some more information on how you were hacked?   ie:
> what, specifically, was compromised?  How was entry gained to your
> server?
>
> The best way to prevent a problem like this is to understand the
> vulnerability that was exploited.
>
> Interestingly, we have set up dozens of BX systems and hundreds of BQ
> boxes and never (finding wood to knock on now) had a single issue like
> this.   We've had boxes attacked and hacked due to other reasons (bad
> passwords, lax user putting in 777 permissions willy-nilly, exploited
> Joomla / OSCommerce / Wordpress / script-du-jour, etc).   Never just a
> "new install".   Which leads me to believe there's something else that
> we don't know about in your case(s).
>
> -- 
> Chris Gebhardt
> VIRTBIZ Internet Services
> Access, Web Hosting, Colocation, Dedicated
> www.virtbiz.com | toll-free (866) 4 VIRTBIZ

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090726/e98ab85c/attachment.html>

More information about the Blueonyx mailing list