Results 1 to 10 of 10
Thread: Mother...er well, "fiddlestick!"
-
01-20-2002, 05:30 AM #1Web Hosting Master
- Join Date
- Oct 2001
- Location
- California, USA
- Posts
- 1,316
Mother...er well, "fiddlestick!"
Man, I'm so sick of it.
First this guy, a client, uses an SSH exploit to gain root access on the computer where is account is hosted, just for the sake of hiding his IRC bouncer.
We suspend his account but leave SSH v1 (the security 'hole') acces open because some other clients have old SSH clients. We send him an email explaining the account suspension and our reasons. Of course he denies. Would you believe he keeps a low profile? Nah, he hacks into the computer right back. Of course, we kick him out right away and disable SSH1 for good.
He writes back, denying and so on. When we explain to him we have logfiles and that processes show their original owner's signature (he doesn't know jack, mind you; nowadays all you have to do is download a rootkit when you're a lame wannabe); well, when we explain that to him, he caves in and uses the lousy "I've lent my account to a friend" excuse. Yeah, right.
Well long story short, today, bang, chargeback!
I'm quite mad. We have plenty of good clients, but sometimes a rotten apple makes you feel like you could really kick some ass really hard.
Ah, anyway, that was today's rant, thanks for readinghttp://www.voilaweb.com - the Social Internet Toolbox.
-
01-20-2002, 06:21 AM #2Junior Guru Wannabe
- Join Date
- Feb 2001
- Posts
- 45
I don't see why you didn't disable the users account right
away, along with ssh1, and look further into patching the security
hole in the first place.
Other than that, sorry to hear about the chargeback, thats really
unfortunate since I'm trying to get into the business soon and
have been reading and posting frequently trying to 'catch on'
as much as possible to hear that these things happen so frequently.-Mafukie
-
01-20-2002, 06:36 AM #3Web Hosting Master
- Join Date
- Oct 2001
- Location
- California, USA
- Posts
- 1,316
Well,
Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".http://www.voilaweb.com - the Social Internet Toolbox.
-
01-20-2002, 07:15 AM #4Web Hosting Master
- Join Date
- Apr 2001
- Location
- Depok, Indonesia
- Posts
- 988
How did you find out that this is SSH1 exploit? As far as I can tell, with secure servers (e.g. OpenSSH), it is still very difficult for a casual IRC l33t w4nn4b3 to exploit. If he can do that, then he has better things to do. Also, exploiting the vulnerability requires sniffing an already created ssh connection.
What version of SSH are you using? If it is not a recent version, I suggest upgrading. See http://www.openssh.com/security.html for information of SSH vulnerability.
-
01-20-2002, 07:25 AM #5Web Hosting Master
- Join Date
- Oct 2001
- Location
- California, USA
- Posts
- 1,316
Yes,
on this server, we hadn't replaced the default SSH with OpenSSH yet. Well, it's now donehttp://www.voilaweb.com - the Social Internet Toolbox.
-
01-20-2002, 07:49 AM #6Web Hosting Master
- Join Date
- Oct 2001
- Location
- California, USA
- Posts
- 1,316
Well,
Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".http://www.voilaweb.com - the Social Internet Toolbox.
-
01-20-2002, 08:21 AM #7Web Hosting Master
- Join Date
- May 2001
- Posts
- 1,349
You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.
-
01-20-2002, 09:13 AM #8Web Hosting Master
- Join Date
- Oct 2001
- Location
- California, USA
- Posts
- 1,316
Originally posted by Skeptical
You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.
I was ranting on how easy it is for any wannabe to hack a unix system; download a rootkit and you're rolling. The silver lining, here, is that their attempts are all but stealth, since they do not have an intimate knowledge of the OS. Well, just hoping that we never get hacked by a *real* hackerhttp://www.voilaweb.com - the Social Internet Toolbox.
-
01-20-2002, 02:13 PM #9Web Hosting Evangelist
- Join Date
- Aug 2001
- Location
- St. Louis, MO
- Posts
- 467
Which log files tracks that access?
-
01-20-2002, 05:38 PM #10Web Hosting Master
- Join Date
- Oct 2001
- Location
- California, USA
- Posts
- 1,316
Originally posted by pgrote
Which log files tracks that access?
Anyway, sorry about that totally useless thread. But that's the reason why I started it in the Lounge: I had to express my anger ; felling better now...http://www.voilaweb.com - the Social Internet Toolbox.