I shall make this short...

Last week a power supply died in the router so I went out to swap it out with a new one.

While onsite, I noticed that tripwire had shown someone from an odd IP address had accessed the system via a user account that is no longer used.

They used their access to exploit an older version of OpenSSL that was running on the web server.

They broke into the box and started installing root kits.
I was working with the police to track them down and had the boxes offline in a sandbox to help trace the attacker with the police.

Suffice to say, I couldn't bring the sites back up until the investigating was done.

Everything has been moved to new boxes and I took the opportunity to upgrade everything to new software/hardware.

UPDATE:
If you have an email account on any of my domains, your mailbox was migrated to the new server and your username/password have been reset.

Send me a private message with the email address you had registered and I will reply with your username/password.

You can also send a request for the password via email at:

sysadmin@fuzzylinux.net

Please list what your old email address was. The same goes for FTP/Hosted Sites, etc.

Thanks for all the hard work hick... Without you, this community would not exist. I hope you get those hackers!

hick you rule!!!

you are awesome hick :)

If you have an email account on any of my domains, your mailbox was migrated to the new server and your username/password have been reset.

Send me a private message with the email address you had registered and I will reply with your username/password.

You can also send a request for the password via email at:

sysadmin@fuzzylinux.net

Please list what your old email address was. The same goes for FTP/Hosted Sites, etc.

Steve is awesome.

Hick For The Win..

Thanks for all the hard work man.

You rock! So did you and the police find out who was fuxing around? Can we send a hit squad (myself, Quif, Phun & Guido) to take the loser out? :beer:

Yeah, they didn't realize that the system was tracking them the entire time.
They tried the old trick of erasing the logs while they were inside, but they didn't know the system was keeping seperate (secret) logs.

Here's a glimpse of some of the maliciousness they were up to:



cd .kde
ls -al
rm -rf xpl
ps -aux
kill -9 8636 8644
w
ps -aux
pwd
unset bash_history
cd /usr/local/games
cd " "
./sense tcp.log
exit



unset bash_history
cd /usr/local/games
cd " "
./sense tcp.log
exit


You can see them creating hidden directories, loading r00tk1t's, etc...

hrm, doesn't mean much to me:P What were they actually trying to do to the system? Get it to run a bunch of other processes? And thanks for getting the site back up and running it

Hacking into it to try and steal data....

ah, then I'm assuming you had other stuff on there too, since I'm pretty sure our conversations aren't all that valuable:P

speak for yourself

Naw, it's normal hacking stuff...

Root box, steal passwords, try to break into other boxes from cracked box, steal passwords, etc...

Someone should send Hick a large container of bbq sauce.

Steve = win. :)

The forum clock seems to be off... I checked my user CP settings and I have the right time zone set up. It is 7:40 AM pacific right now... And it thinks it's december 2006

yes its off

Thanks for getting ze fr3nsyc back up and running, Steve =)