I've had security breach at EV1 with a substantial loss of data. The pile of backups that were being performed nightly through Ensim are all corrupted and useless.

The culprit is likely a former employee that the FBI is soon to introduce themselves to.

My question: Is this a problem that a sysadmin can solve by plugging the holes in the server? Should I move everything to another server and start over with all new accounts? Or should I start over with a new provider or at least a new server mgmt module.

Thanks.

Are you sure it was someone from the datacenter? Or, was it someone that hacked into your server via an unpatched security hole? If the second option, you are responsible for that, not EV1.

-Lamar

Please clarify this point:
"The culprit is likely a former employee...". I assume that to mean one of your former employees?

Also, if the machine was compromised it is generaly a good practice to have the OS and control panel reloaded. Ask them to put your data drive as the 2nd or 3rd HDD so you can try to recover data if possible. EV1 is pretty good about that.

When you get the OS reloaded/restored etc... by all means, use completely different passwords. :) Consider hiring one of the security guys around here to "harden" your server as well before you add accounts back to it.
Glenn

Originally posted by SB-Host
Please clarify this point:
"The culprit is likely a former employee...". I assume that to mean one of your former employees?
Glenn
In re-reading this, I think you may be right.

-Lamar

traceaxil,
You need to be extremely carefully disclosing this type of information without sufficent clarity as your post above reads as if it was an EV1 employee. Making accusations of this magnitude is not something to take lightly, and if I were you I would never post something like this on a public forum.

Let the authorities and your legal team take care of it.

Peter

Originally posted by traceaxil
...that the FBI is soon to introduce themselves to...You seem to have a slight misconception as to how the US legal investigative system works, so let me clarify.

If you can convince the FBI your case is even worth talking about, you must be able to prove (not speculate, prove) that you've sustained thousands of dollars of lost business. That will get a trainee intern to file a report and put it away in the dark depths of the FBI's records. If you want them to think about acting on the report, you must be able to prove you've sustained tens of thousands of dollars in lost business.

If you want them to make a report, think about acting on it and actually act on it, those provable losses have to run into hundreds of thousands of dollars. At that point they will begin to take you seriously; but it's unlikely still that they'd take cybercrime investigations seriously at that amount of loss. Such an investigation would only be justified when losses reach the millions region.

It isn't fair, it isn't justice, but that's how it is. Now when you've calmed down and stopped screaming the usual empty legal threats at scripts, how about doing something useful like figuring out how your system was rooted? And why your contingency plan for such an event was limited to a single set of backups accessible (an NFS mount?) by the very same server that it was protecting.

The subject seems to indicate EV1 are at fault. You may wish to clarify yourself.

I assume you have a server with EV1 and that is as far as the relationship goes... EV1 didnt actually have anything to do with your security problem?

Traceaxil-

Can we get a clarification on your post? Are you suggesting that it was one of your employees or ours?

In any instance, if you will contact the notify.management@ev1servers.net , we will assist you in any way that we can on an asap basis.

It certainly is nice to see that HS is keeping up on things around here, another reason why we still haven't moved some of our older equipment out of ev1 ;)

Originally posted by traceaxil
I've had security breach at EV1 with a substantial loss of data. The pile of backups that were being performed nightly through Ensim are all corrupted and useless.

That's why it's a good idea to have both local and external backups.

Originally posted by traceaxil
The culprit is likely a former employee that the FBI is soon to introduce themselves to.

EV1 ex-employee or your ex-employee? BTW, why do you believe this person was the responsible for the attack?

Originally posted by traceaxil
My question: Is this a problem that a sysadmin can solve by plugging the holes in the server?

Considering your ex-employee (or EV1 ex-employee) wouldn't have physical access to the server, yes, a good admin would be able to guarantee a good security level to avoid (not 100%, but in a good measure) things like this.

Originally posted by traceaxil
Should I move everything to another server and start over with all new accounts?

An OS restore should be enough.

Originally posted by traceaxil
Or should I start over with a new provider or at least a new server mgmt module.

Thanks.

If you can't handle security management by yourself, you should already have some management company to take care of that to you.

Lets get to the bottom line here. Unless you can claim and prove atleast $50,000 worth of damage it will go into the FBI filing cabnite never to bee seen again (unless you have some major clout).

Just as a clarification, as we have spoken with and are working with this customer, he suspects a former employee of HIS firm, not EV1.

Robert

Originally posted by headsurfer
Just as a clarification, as we have spoken with and are working with this customer, he suspects a former employee of HIS firm, not EV1.

Robert

This thread should probably be cleaned to indicate that... <hint hint, nudge nudge>

Sirius

Originally posted by headsurfer
Just as a clarification, as we have spoken with and are working with this customer, he suspects a former employee of HIS firm, not EV1.

Robert

Thanks Robert, that is what I suspected.
Glenn

SORRY FOR THE CONFUSION. This is MY former employee who (I suspect) did this -- not at all EV1.

The only reason I mention the vendor (EV1) in this case, is to open the chance for people here to comment on the possibiilty that OS/Server Mgmt/etc could possibly come into play.

Sorry for the implication to EV1 ---- my apparent challenges with the english language.