DoS Downtime

[Zorro]

Well...we got hacked. I was a little lax in the security following the firewall crash and, well, some butthead from Haifa, Israel got a shell on the Linux box. I've plugged the holes and eliminated the threat, and reported said butthead to his ISP (not a very intelligent script kiddie...didn't know how to cover his tracks real well), but I really need to get some firewall protection in here...

In any case, the butthead initiated a DoS Attack from my box which basically kept all traffic from coming in out out of the network here. So, you might have noticed some downtime between 2245 and 2330 PST.

I'll keep my eye on this more closely to be sure it doesn't happen again. Sorry for the inconvenience.

[AK]Zorro

Chief Operations Officer
<a href="http://www.augustknights.com" target="_blank">AugustKnights.com</a> WizOp

[Wolff]

Been a lot of Israeli cracker attacks lately. ZDNet reported that this is all due to Israel's big spotlight in the news. Though I wouldn't have the slightest clue why some Israeli would crack a server in the US unrelated at all to Israel.

My 2 cents
Wolff

[Drewski]

My question is, why this server, what could he possably gain from here?

[SlAuGhTeR]

Free software.. ubb goes for about 300 or less... then the exchange passwords..
You have to think like a hacker to know why.. And i did my share of hacking in I'76. I'm pretty sure everyone fiddled with it a bit.

------------------
SlAuGhTeR
slaughter@wolfteam.com
SlAuGhTeR [aYg]
'The slaughter fest has begun, punk.'

[Wolff]

I could name quite a few CGI-powered boards that offer the same stuff that UBB has, and then some, for free. But I wouldn't want to upset anybody.

Wolff

[Zorro]

Well, oddly enough, the guy didn't do much more than launch an "eggdrop" DoS attack from the server. From the keystroke log that I have, he didn't even download the /etc/passwd file or anything. So far as the Exchange stuff goes, that's on a different server entirely. I suppose if he would've had access longer he might have done something, but so far as I can tell, he's just some script kiddie with too much time on his hands. He didn't do a very good job of covering his tracks. The ISP has assured me that they are going to deal with the punk appropriately.

In my view this is a closed case. Nothing malicious was actually done, and I spent like 4 hours Wednesday night/Thursday morning shoring up the server with access control lists, updates of all the packages that have reported security problems, and stripping down of the inetd.conf of all unecessary services. I feel quite confident of the server's ability to ward off an attach like this one in the future. And I promise that I will be more proactive in the future about getting updates and such so that no attack will happen again.

[AK]Zorro

Chief Operations Officer
<a href="http://www.augustknights.com" target="_blank">AugustKnights.com</a> WizOp

[Wolff]

Waitaminute... Exchange? I'm at a loss at that. Would someone please fill me in?

[SlAuGhTeR]

Exchange is the email server. Or, rather, the program that runs email.

------------------
SlAuGhTeR
slaughter@wolfteam.com
SlAuGhTeR [aYg]
'The slaughter fest has begun, punk.'