Mother...er well, "fiddlestick!"

cyansmoker · #1 01-20-2002, 05:30 AM

Man, I'm so sick of it.
First this guy, a client, uses an SSH exploit to gain root access on the computer where is account is hosted, just for the sake of hiding his IRC bouncer.
We suspend his account but leave SSH v1 (the security 'hole') acces open because some other clients have old SSH clients. We send him an email explaining the account suspension and our reasons. Of course he denies. Would you believe he keeps a low profile? Nah, he hacks into the computer right back. Of course, we kick him out right away and disable SSH1 for good.

He writes back, denying and so on. When we explain to him we have logfiles and that processes show their original owner's signature (he doesn't know jack, mind you; nowadays all you have to do is download a rootkit when you're a lame wannabe); well, when we explain that to him, he caves in and uses the lousy "I've lent my account to a friend" excuse. Yeah, right.

Well long story short, today, bang, chargeback!

I'm quite mad. We have plenty of good clients, but sometimes a rotten apple makes you feel like you could really kick some ass really hard.

Ah, anyway, that was today's rant, thanks for reading

Mafukie · #2 01-20-2002, 06:21 AM

I don't see why you didn't disable the users account right
away, along with ssh1, and look further into patching the security
hole in the first place.

Other than that, sorry to hear about the chargeback, thats really
unfortunate since I'm trying to get into the business soon and
have been reading and posting frequently trying to 'catch on'
as much as possible to hear that these things happen so frequently.

cyansmoker · #3 01-20-2002, 06:36 AM

Well,
Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".

priyadi · #4 01-20-2002, 07:15 AM

How did you find out that this is SSH1 exploit? As far as I can tell, with secure servers (e.g. OpenSSH), it is still very difficult for a casual IRC l33t w4nn4b3 to exploit. If he can do that, then he has better things to do. Also, exploiting the vulnerability requires sniffing an already created ssh connection.

What version of SSH are you using? If it is not a recent version, I suggest upgrading. See http://www.openssh.com/security.html for information of SSH vulnerability.

cyansmoker · #5 01-20-2002, 07:25 AM

Yes,
on this server, we hadn't replaced the default SSH with OpenSSH yet. Well, it's now done

cyansmoker · #6 01-20-2002, 07:49 AM

Well,
Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".

Skeptical · #7 01-20-2002, 08:21 AM

You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.

cyansmoker · #8 01-20-2002, 09:13 AM

Quote:

Originally posted by Skeptical
You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.

Sure thing! Actually, as it turns out, we have a pretty sophisticated watchdog that alerts us when something seems fishy (checking files ownership, new devices, etc), so that doesn't leave much time for them to clobber any evidences. This is how we ended up having all these nice logs.

I was ranting on how easy it is for any wannabe to hack a unix system; download a rootkit and you're rolling. The silver lining, here, is that their attempts are all but stealth, since they do not have an intimate knowledge of the OS. Well, just hoping that we never get hacked by a *real* hacker