Hi people

Due to my unawarenesss , I keep username/password of all my hosting users in mysql table. Some user (I think) browse the server and find the username/password for connecting to this table , now he keep all user's passwords. He ftp as many users through many domains and upload IRC bots. I know his IP address , should I call the police to stop him ?

Thank you
jakis

Police or FBI.. the guy cracked into your system... which could cost them big time... :)

Defintely..and I wouldn't store private data where it can be stolen easily again

If I don't stop the guy who has all of user's password , he'll keep login using poeple's accounts and when my users are aware that they are cracked they'd blame me.

Originally posted by jakis
If I don't stop the guy who has all of user's password , he'll keep login using poeple's accounts and when my users are aware that they are cracked they'd blame me.

You haven't already manually changed every users password?:eek:

I'd blame you too, sorry. The SECOND I so much as suspect a crack like this I'm gonna change every user's password that instant. He could login and start deleting files from the user's uppermost level ftp (which might be / and could end up getting files anywhere that are marked 777!).

What sort of backups do you have of your system and user's data?

I have hundreds of users , so don't dare to change all passwords or people will yell at me. Yep, I'd got blamed while I'm developing a new secure system.

I checked all log files that the guy do no change any passwords since he already has a lot of passwords in hand , he just come to run the BOT , keep MP3 in other people's place.

No problem of backup, I zip and ftp it to othere server every week.

Originally posted by jakis
I have hundreds of users , so don't dare to change all passwords or people will yell at me. Yep, I'd got blamed while I'm developing a new secure system.

What would they yell at you more for, changing their password with no downtime, or someone deleting their files, and them finding out that the person had access, and causing them downtime.......

Originally posted by jakis
I have hundreds of users , so don't dare to change all passwords or people will yell at me. Yep, I'd got blamed while I'm developing a new secure system.

I checked all log files that the guy do no change any passwords since he already has a lot of passwords in hand , he just come to run the BOT , keep MP3 in other people's place.

No problem of backup, I zip and ftp it to othere server every week.

Dude, I hate to break this to you, you're gonna get yelled at, no matter how well you handle it. Your main saving grace, is it looks like the "hacker" either:
A) is a nice guy
or
B) is not hip to what he can do

No ifs ands or buts about it, #1 on my list of "things to do if all my users passwords were stolen" is change the passwords. I could write a simple shell script to do it for me and probably assign the same password to each account, then manually change the password to whatever the user wanted as the requests came in.

Do a couple of things such as if you know his IP, block it. Simply do that using ipchains.

Also, if hes transfering mp3s via DCC bots then why not block irc connects from the server?

Simply block the ports that are commonly used 6665 - 7000.

I would do a mass password change, its the only way to be sure as blocking his ip.. would simply mean he got someone else to do his dirty work.

How about just disabling Shell access on all accounts? Until this is all sorted.

Just a couple of suggestions,

Craig.

shutdown ssh/telnet for everyone but you.
then start changing pw's

Is it possible to ammend a "email user" to the password shell script??? The smaller the time between you changing the password and users finding out by your email rather than by accident may save you some yelling??? Even "NO FTP ACCESS FOR 24HRS" OUR FTP IS DOWN!

Thank you. You guys are most helpful on the every bad situation. I have no problem writing scripts that change password in a few seconds since the password was kept on separate files. I use Pureftpd that keep ftp password in a virtualuser db (really secure and love it than proftpd) but the vulnerability reside in control panel password that was kept in clear text. I would recommend everybody keep sensitive data away from mysql and don't keep password in clear text or the snooper can easily find and view it no matter where it's kept, he will find it. Although the password was encrypted. It's not too hard for the snooper to run password crackers or guess the password that is the same as username.


The bad guy today is not stupid , he know what he's doing so he uses 2 dialup hence 2 dynamic IPs , one for investigation, and another for criminal. Many users in my machine is the most dangerous specie. He write perl/php scripts that do the same job as telnet without logging in . He veiw all users from /etc/passwd or list directory , guess/bruteforce the weak password, then login as another users and start annoying like upload mp3 , bind daemon to non-standard port etc. :crap: but I can't erase him because he didn't use his account when doing nasty stuff.

I believe you have to go one step further. You are obligated to inform your users exactly what happened. You may get yelled at and lose some customers but it is in their best interest to know. What if this guy gained access to their files and found some sensitive financial information? Then he goes on a little shopping spree and cleans them out. If that happened and the customer had no idea you had these problems, where would they start investigating? If they knew, they would at least have a leg up on the problem.

Awhile back Egghead.com had a security violation on their servers and customers information was stolen. They were required by law to inform everyone that had their credit card information on their servers.

These are just my thoughts and I hope I'm wrong. Good luck...

You don't have to keep sensitive data away from MySQL. Just be smart about it. Don't use clear-text passwords, don't put the username/password to the mysql DB ANYWHERE on your filesystem in clear-text (or keep it locked down with proper permissions), use SSL when using the username/password (such as in phpmyadmin), and use SSL with MySQL if you need to connect to a server over an insecure network (like the internet). There are a ton of other things you can do to secure things even more, but that's just a start.

Oh, and don't use stupid passwords like: username bob, password: bob. ;)

Short and sweet: No offense, but you have no business doing what you're doing. You are not skilled enough to be dealing with this by your posts content alone and you're missing a lot of things. You're way off the mark here, and you need to seek help from a qualified person/professional. I don't mean to offend you, but this is painfully obvious that it's over your head and you don't have time to learn all the aspects you need to know to deal with this, and the fact that you're allowing your clients to be at risk due to your own fears of ramifications due to your lack of knowledge in this field, is not right. Seek help and do this right, or sell your hosting business to someone that can. This may sound brutal or mean, but you're taking a ridiculous, careless, ignorant and dangerous approach to this -- and there's more people involved in this than just you. You have no right to be playing around or shrugging it off or thinking you can handle something you aren't prepared or able to do. If you don't heed this advice, things have a high potential of getting much worse, and you'll have a lot more things to worry about which can be very serious.

No problems , I just encrypt everythings overnight since I wrote all control panel myself so I can easily modify it. This control penel is wrote over a year ago based on the assumption that

- there's only a few hundred users on the system where they have good behavior.
- one domain per person.

Today, the situation changed . So I must redesign all system but the malicious people did not wait . They can start annoying everytime especially when I am sleeping or on christmas vacation. :bawling: