hosted by liquidweb


Go Back   Web Hosting Talk : Other Forums : Web Hosting Lounge : Mother...er well, "fiddlestick!"
Reply

Forum Jump

Mother...er well, "fiddlestick!"

Reply Post New Thread In Web Hosting Lounge Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 01-20-2002, 05:30 AM
cyansmoker cyansmoker is offline
Web Hosting Master
 
Join Date: Oct 2001
Location: California, USA
Posts: 1,315

Mother...er well, "fiddlestick!"


Man, I'm so sick of it.
First this guy, a client, uses an SSH exploit to gain root access on the computer where is account is hosted, just for the sake of hiding his IRC bouncer.
We suspend his account but leave SSH v1 (the security 'hole') acces open because some other clients have old SSH clients. We send him an email explaining the account suspension and our reasons. Of course he denies. Would you believe he keeps a low profile? Nah, he hacks into the computer right back. Of course, we kick him out right away and disable SSH1 for good.

He writes back, denying and so on. When we explain to him we have logfiles and that processes show their original owner's signature (he doesn't know jack, mind you; nowadays all you have to do is download a rootkit when you're a lame wannabe); well, when we explain that to him, he caves in and uses the lousy "I've lent my account to a friend" excuse. Yeah, right.

Well long story short, today, bang, chargeback!

I'm quite mad. We have plenty of good clients, but sometimes a rotten apple makes you feel like you could really kick some ass really hard.

Ah, anyway, that was today's rant, thanks for reading

__________________
http://www.voilaweb.com - the Social Internet Toolbox.



Sponsored Links
  #2  
Old 01-20-2002, 06:21 AM
Mafukie Mafukie is offline
Junior Guru Wannabe
 
Join Date: Feb 2001
Posts: 45
I don't see why you didn't disable the users account right
away, along with ssh1, and look further into patching the security
hole in the first place.

Other than that, sorry to hear about the chargeback, thats really
unfortunate since I'm trying to get into the business soon and
have been reading and posting frequently trying to 'catch on'
as much as possible to hear that these things happen so frequently.

__________________
-Mafukie

  #3  
Old 01-20-2002, 06:36 AM
cyansmoker cyansmoker is offline
Web Hosting Master
 
Join Date: Oct 2001
Location: California, USA
Posts: 1,315
Well,
Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".

__________________
http://www.voilaweb.com - the Social Internet Toolbox.

Sponsored Links
  #4  
Old 01-20-2002, 07:15 AM
priyadi priyadi is offline
Registered User
 
Join Date: Apr 2001
Location: Depok, Indonesia
Posts: 986
How did you find out that this is SSH1 exploit? As far as I can tell, with secure servers (e.g. OpenSSH), it is still very difficult for a casual IRC l33t w4nn4b3 to exploit. If he can do that, then he has better things to do. Also, exploiting the vulnerability requires sniffing an already created ssh connection.

What version of SSH are you using? If it is not a recent version, I suggest upgrading. See http://www.openssh.com/security.html for information of SSH vulnerability.

  #5  
Old 01-20-2002, 07:25 AM
cyansmoker cyansmoker is offline
Web Hosting Master
 
Join Date: Oct 2001
Location: California, USA
Posts: 1,315
Yes,
on this server, we hadn't replaced the default SSH with OpenSSH yet. Well, it's now done

__________________
http://www.voilaweb.com - the Social Internet Toolbox.

  #6  
Old 01-20-2002, 07:49 AM
cyansmoker cyansmoker is offline
Web Hosting Master
 
Join Date: Oct 2001
Location: California, USA
Posts: 1,315
Well,
Mafukie, his account was disabled right away but our mistake was not to check some remaining files.
Plus bad things never happen one after the other, rather you generally get a nice bucket of sh*t and you realize "well, it may not be my day".

__________________
http://www.voilaweb.com - the Social Internet Toolbox.

  #7  
Old 01-20-2002, 08:21 AM
Skeptical Skeptical is offline
Web Hosting Master
 
Join Date: May 2001
Posts: 1,349
You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.

__________________
Expert Cpanel and WHMCS Development
We have done many modules such as alipay, chinabank, net.cn domain registration, and Cpanel modules such as auto-installers similar to Scriptaculous. Demo available upon request.
Email: sales[-at-]systemengineer.com

  #8  
Old 01-20-2002, 09:13 AM
cyansmoker cyansmoker is offline
Web Hosting Master
 
Join Date: Oct 2001
Location: California, USA
Posts: 1,315
Quote:
Originally posted by Skeptical
You'd better double check your system to make sure this hacker didn't install other backdoors/trojans into your system after he got root via the ssh exploit.
Sure thing! Actually, as it turns out, we have a pretty sophisticated watchdog that alerts us when something seems fishy (checking files ownership, new devices, etc), so that doesn't leave much time for them to clobber any evidences. This is how we ended up having all these nice logs.

I was ranting on how easy it is for any wannabe to hack a unix system; download a rootkit and you're rolling. The silver lining, here, is that their attempts are all but stealth, since they do not have an intimate knowledge of the OS. Well, just hoping that we never get hacked by a *real* hacker

__________________
http://www.voilaweb.com - the Social Internet Toolbox.

  #9  
Old 01-20-2002, 02:13 PM
pgrote pgrote is offline
Web Hosting Evangelist
 
Join Date: Aug 2001
Location: St. Louis, MO
Posts: 467
Which log files tracks that access?

  #10  
Old 01-20-2002, 05:38 PM
cyansmoker cyansmoker is offline
Web Hosting Master
 
Join Date: Oct 2001
Location: California, USA
Posts: 1,315
Quote:
Originally posted by pgrote
Which log files tracks that access?
Well, *our* logfiles. We're kinda paranoids

Anyway, sorry about that totally useless thread. But that's the reason why I started it in the Lounge: I had to express my anger ; felling better now...

__________________
http://www.voilaweb.com - the Social Internet Toolbox.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Drafting Big Data Contracts Blog 2014-03-18 10:00:43
Web Hosting Sales and Promos Roundup – May 10, 2013 Web Hosting News 2013-05-13 13:19:27
International Skype Traffic Grew 44 Percent in 2012: TeleGeography Report Web Hosting News 2013-02-13 14:27:20
WHIR Event Scottsdale - The Return to the Desert Blog 2012-09-17 12:40:57
WHIR Events geeks it up a notch in Silicon Valley Blog 2012-08-22 10:05:01


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?