Results 1 to 10 of 10
  1. #1
    Join Date
    Oct 2001
    Location
    California, USA
    Posts
    1,316

    Mother...er well, "fiddlestick!"

    Man, I'm so sick of it.
    First this guy, a client, uses an SSH exploit to gain root access on the computer where is account is hosted, just for the sake of hiding his IRC bouncer.
    We suspend his account but leave SSH v1 (the security 'hole') acces open because some other clients have old SSH clients. We send him an email explaining the account suspension and our reasons. Of course he denies. Would you believe he keeps a low profile? Nah, he hacks into the computer right back. Of course, we kick him out right away and disable SSH1 for good.

    He writes back, denying and so on. When we explain to him we have logfiles and that processes show their original owner's signature (he doesn't know jack, mind you; nowadays all you have to do is download a rootkit when you're a lame wannabe); well, when we explain that to him, he caves in and uses the lousy "I've lent my account to a friend" excuse. Yeah, right.

    Well long story short, today, bang, chargeback!

    I'm quite mad. We have plenty of good clients, but sometimes a rotten apple makes you feel like you could really kick some ass really hard.

    Ah, anyway, that was today's rant, thanks for reading
    http://www.voilaweb.com - the Social Internet Toolbox.

  2. #2
    Join Date
    Feb 2001
    Posts
    45
    I don't see why you didn't disable the users account right
    away, along with ssh1, and look further into patching the security
    hole in the first place.

    Other than that, sorry to hear about the chargeback, thats really
    unfortunate since I'm trying to get into the business soon and
    have been reading and posting frequently trying to 'catch on'
    as much as possible to hear that these things happen so frequently.
    -Mafukie

  3. #3
    Join Date
    Oct 2001
    Location
    California, USA
    Posts
    1,316
    Well,
    Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
    Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".
    http://www.voilaweb.com - the Social Internet Toolbox.

  4. #4
    Join Date
    Apr 2001
    Location
    Depok, Indonesia
    Posts
    988
    How did you find out that this is SSH1 exploit? As far as I can tell, with secure servers (e.g. OpenSSH), it is still very difficult for a casual IRC l33t w4nn4b3 to exploit. If he can do that, then he has better things to do. Also, exploiting the vulnerability requires sniffing an already created ssh connection.

    What version of SSH are you using? If it is not a recent version, I suggest upgrading. See http://www.openssh.com/security.html for information of SSH vulnerability.

  5. #5
    Join Date
    Oct 2001
    Location
    California, USA
    Posts
    1,316
    Yes,
    on this server, we hadn't replaced the default SSH with OpenSSH yet. Well, it's now done
    http://www.voilaweb.com - the Social Internet Toolbox.

  6. #6
    Join Date
    Oct 2001
    Location
    California, USA
    Posts
    1,316
    Well,
    Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
    Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".
    http://www.voilaweb.com - the Social Internet Toolbox.

  7. #7
    Join Date
    May 2001
    Posts
    1,349
    You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.

  8. #8
    Join Date
    Oct 2001
    Location
    California, USA
    Posts
    1,316
    Originally posted by Skeptical
    You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.
    Sure thing! Actually, as it turns out, we have a pretty sophisticated watchdog that alerts us when something seems fishy (checking files ownership, new devices, etc), so that doesn't leave much time for them to clobber any evidences. This is how we ended up having all these nice logs.

    I was ranting on how easy it is for any wannabe to hack a unix system; download a rootkit and you're rolling. The silver lining, here, is that their attempts are all but stealth, since they do not have an intimate knowledge of the OS. Well, just hoping that we never get hacked by a *real* hacker
    http://www.voilaweb.com - the Social Internet Toolbox.

  9. #9
    Join Date
    Aug 2001
    Location
    St. Louis, MO
    Posts
    467
    Which log files tracks that access?

  10. #10
    Join Date
    Oct 2001
    Location
    California, USA
    Posts
    1,316
    Originally posted by pgrote
    Which log files tracks that access?
    Well, *our* logfiles. We're kinda paranoids

    Anyway, sorry about that totally useless thread. But that's the reason why I started it in the Lounge: I had to express my anger ; felling better now...
    http://www.voilaweb.com - the Social Internet Toolbox.

  11. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •