Re: [PLUG] emerg web server repair

["Eric at Lucii.org" <eric@lucii.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/09/2012 06:32 PM, bergman@merctech.com wrote:
> In the message dated: Thu, 09 Aug 2012 18:05:55 EDT, The pithy ruminations from Rich Freeman on <Re: [PLUG] emerg web server repair> were: => On Thu, Aug 9, 2012 at 5:55 PM, Paul Jungwirth <once@9stmaryrd.com> wrote: => > I'm a developer, not a sysadmin, so forgive my ignorance: is turning => > aside a DDOS really that easy? I've hear other smart people in IT say => > that there's actually very little you can do, and there are huge sites => > that have suffered extended downtime because of a DDOS attack. => => It is.  In fact there is an even easier solution - just unplug the => network cable. => => The problem with both solutions is that you essentially DOS yourself => to keep out the DDOS.  Maybe if you get them to attack the US
> 
> There's another problem with those "solutions"...the upstream provider continues to receive all the traffic. This can seriously affect your "peers" (ie., other customers of that provider who rely on the same network, same routers, etc.).
> 
> Work with your provider, get them to help out with their firewall or routing.
> 
> http://www.bgpexpert.com/antidos.php https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CFEQxQEwAg&url=https%3A%2F%2Fdocs.google.com%2Fviewer%3Fa%3Dv%26q%3Dcache%3ANfyPwQ6Pc6YJ%3Awww.nanog.org%2Fmeetings%2Fnanog30%2Fpresentations%2Fmorrow.pdf%2B%26hl%3Den%26gl%3Dus%26pid%3Dbl%26srcid%3DADGEESgZD_-_L8B9QxmaomklVMMA2Jbb2QTRvVzi1v2qj32ZSAg8WNobPKwAizEpZgoC7wymdCerl2-tKCkLymW_sfRauf1O7x3xU73E8IJGaIay4HfG8HD9qEW2Y78AfKGHkBqVYJaP%26sig%3DAHIEtbTtjShXN7hxPAD4uo4sYtJMQCtTqw&ei=2TkkUKyaCcHq0gHD84DYDg&usg=AFQjCNGvXSTJheBZRX6ymMl_c7YUWooRAw&sig2=DMcWm_r_W94yhWyuVvKkpA&cad=rja
> 
> Mark
> 
> 
> => Government somebody else will take care of your problem out-of-band. => => Actually continuing to serve traffic under a DDOS is very difficult indeed. => => Rich


Thanks for all the suggestions and support.
We managed to extricate the last remnants of the evil code and patched the
system about 2:30 this morning.  It's now wrapped up quite tightly and, so
far, we're okay.  We still dread the possibility of a retaliatory DDOS
attack.

A couple of notes:

1. We've started using git as a pseudo intrusion detection method.  The
git repository is owned by root.  Since the hackers only ever gained
access as www-data we feel /reasonably/ safe.  A simple git status tells
us if there are new or modified files.  It's not automatic but rigorous
adherence to source code control protocols will allow us to pin-point
the damaged files MUCH easier should this happen again (God forbid!)

2. Hackers (crackers, whatever) think they are so clever.  The password
for their WSO 2.5 installation was "cocacola".  How do I know?  I went
to a site that has public access to rainbow tables and entered the MD5
value I found in their code.  The answer was nearly instantaneous and
I then owned their tool.  It has now been modified... it looks the same
as before but recognizes NO password whatsoever.  I think I'm so clever.


Eric
- -- 
#  Eric Lucas
#
#                "Oh, I have slipped the surly bond of earth
#                 And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAlbLgACgkQ2sGpvXQrZ/5dSgCeJkAZ9xM9amVOhQa0nZWwU2M5
UYgAnjzjPnnSFwYgViF0yGM5ut7JnNE6
=fsMI
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug