Eric at on 10 Aug 2012 13:18:41 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] emerg web server repair

Hash: SHA1

On 08/09/2012 06:32 PM, wrote:
> In the message dated: Thu, 09 Aug 2012 18:05:55 EDT, The pithy ruminations from Rich Freeman on <Re: [PLUG] emerg web server repair> were: => On Thu, Aug 9, 2012 at 5:55 PM, Paul Jungwirth <> wrote: => > I'm a developer, not a sysadmin, so forgive my ignorance: is turning => > aside a DDOS really that easy? I've hear other smart people in IT say => > that there's actually very little you can do, and there are huge sites => > that have suffered extended downtime because of a DDOS attack. => => It is.  In fact there is an even easier solution - just unplug the => network cable. => => The problem with both solutions is that you essentially DOS yourself => to keep out the DDOS.  Maybe if you get them to attack the US
> There's another problem with those "solutions"...the upstream provider continues to receive all the traffic. This can seriously affect your "peers" (ie., other customers of that provider who rely on the same network, same routers, etc.).
> Work with your provider, get them to help out with their firewall or routing.
> Mark
> => Government somebody else will take care of your problem out-of-band. => => Actually continuing to serve traffic under a DDOS is very difficult indeed. => => Rich

Thanks for all the suggestions and support.
We managed to extricate the last remnants of the evil code and patched the
system about 2:30 this morning.  It's now wrapped up quite tightly and, so
far, we're okay.  We still dread the possibility of a retaliatory DDOS

A couple of notes:

1. We've started using git as a pseudo intrusion detection method.  The
git repository is owned by root.  Since the hackers only ever gained
access as www-data we feel /reasonably/ safe.  A simple git status tells
us if there are new or modified files.  It's not automatic but rigorous
adherence to source code control protocols will allow us to pin-point
the damaged files MUCH easier should this happen again (God forbid!)

2. Hackers (crackers, whatever) think they are so clever.  The password
for their WSO 2.5 installation was "cocacola".  How do I know?  I went
to a site that has public access to rainbow tables and entered the MD5
value I found in their code.  The answer was nearly instantaneous and
I then owned their tool.  It has now been modified... it looks the same
as before but recognizes NO password whatsoever.  I think I'm so clever.

- -- 
#  Eric Lucas
#                "Oh, I have slipped the surly bond of earth
#                 And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --