Page 1 of 2 12 LastLast
Results 1 to 40 of 45
  1. #1
    Join Date
    Mar 2005
    Posts
    48

    My server is HACKED, AGAIN???

    Original thread is here http://www.webhostingtalk.com/showth...hreadid=387903

    This is the second time my server is hacked in 3 months. First incident, i recieved status report and service provider has to rebuild my server. Unfortunately they are not able to restore some account.

    The second incident (yesterday), I recieve NO report and the server just died. First I thought it was an outage and I contacted them several hour later only to be told my server is hacked again and they are working on it. They are not sure if they can restore my content which is NOT acceptable to me.

    I understand servers got hacked from time to time but the fact that it happened twice on my server make me wonder about this service provider. This supposed to be FULLY MANAGED and with all the bell and whistle in their SLA. they are highly recommended in WHT. I guess its time to look for a different provider.

    If you all think I should post their name here, please says so in this thread and if I get enough response I will post it.
      0 Not allowed!

  2. #2
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    I hate to be the one to say it but the last time you were compromised, everyone advised you to get it secured. You had the server rebuilt and I don't think you did anything to secure it so not at all a surprise that it was hacked again.

    Your ip is in a list of servers now I am sure that they will just keep compromising unless you take the time and get it professionally locked down. What is the provider? I am not sure that fully managed always means proactive security management. If they don't say that they do that then they don't but since you are not telling us who it is we really cant help you to see if this is your fault or theirs.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support
      0 Not allowed!

  3. #3
    Join Date
    Oct 2003
    Location
    California
    Posts
    1,271
    Guess it depends on what Fully Managed means? I think you are still responsible for locking down, or hiring a system admin to secure your box. I would like to know what company it so we can verify that they offer this as a service or not. If they do, then its their fault but I'm sure they convered themselves in the TOS.

    Sorry to hear about all this, I'm sure its hurting business.
      0 Not allowed!

  4. #4
    I don't care what a company claims they will do. When it comes to security you should always take it upon your self to make sure that things are secure. With that said, I would like to know what they did to get in.
      0 Not allowed!

  5. #5
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    Well while thats true smoked1, for many people the company can do it better than they can themselves so if the company offers that service, it's a good idea to take it.

    Then you dont get into the finger pointing if something goes wrong.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support
      0 Not allowed!

  6. #6
    Join Date
    Mar 2005
    Posts
    48
    I am been told that the server is secure after my first episode, this is abig company and higly recommended here. The company is LIQUIDWEB . I purposely picked this company based on my reading here. oh well.....just my luck...

    I guess I am looking for a new provider and a full qualified sysadmin company to manage the new servers.
      0 Not allowed!

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    security is not a one time thing, you have to be proactive at updating.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  8. #8
    Join Date
    Mar 2005
    Posts
    48
    Is that for me or for liquidweb?

    Originally posted by thelinuxguy
    security is not a one time thing, you have to be proactive at updating.
      0 Not allowed!

  9. #9
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,878
    Originally posted by thelinuxguy
    security is not a one time thing, you have to be proactive at updating.
    To echo Steve's comment, this is something that is done on a daily, weekly and monthly basis. Security is never a one time job. I would also not rely soley on my server's DC support team (even if this is a fully managed server) to insure that my box is secured.

    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.
      0 Not allowed!

  10. #10
    Join Date
    Jul 2002
    Posts
    3,352
    i think what voltus_99 need is a complete managed server. i tho liquidweb does all that stuff, no?
      0 Not allowed!

  11. #11
    How did they gain access? If this server is used for hosting other peoples content I would suggest that you have a guy check and maintain your security outside of you hosting company. Making sure a box is secure after it is setup can take quite a bit of time. If I was you I would get a new IP address and use the old one on a honeypot.
      0 Not allowed!

  12. #12
    Join Date
    Aug 2004
    Location
    New York, NY
    Posts
    119
    try to install Trustix 2.2 Linux on your server
      0 Not allowed!

  13. #13
    Join Date
    Aug 2004
    Posts
    371
    Use AMD opteron with NX bit.
    Servers got hacked mostly due to flaws in server software which allow hackers to get in without root password. AMD64 technology can stop such flaws from becoming a problem in the CPU.
      0 Not allowed!

  14. #14
    Join Date
    Nov 2003
    Posts
    1,093
    You're driving me insane wm2100
    ManageMyServices was sold by me in September 2009. I no longer have any affiliation with this company.
      0 Not allowed!

  15. #15
    Join Date
    May 2004
    Location
    Baltimore, MD
    Posts
    1,203
    Originally posted by wm2100
    Use AMD opteron with NX bit.
    Servers got hacked mostly due to flaws in server software which allow hackers to get in without root password. AMD64 technology can stop such flaws from becoming a problem in the CPU.
    Are you referring to the Intel HyperThreading "exploit"? I heard about that but never knew it was confirmed.
    Automated Tendencies - Brand Management Agency from Baltimore, Maryland.
    Reputation Management • Search Engine Optimization • Pay Per Click • Email Marketing
      0 Not allowed!

  16. #16
    Join Date
    Aug 2004
    Posts
    371

    Talking

    Originally posted by Laws
    You're driving me insane wm2100
    come on, dude, there has to be someone who post some interesting stuff right? everyone has its experise, let just assume my specialty here is to introduce the great grand revolutionary 64 bit technology to our fellas....
      0 Not allowed!

  17. #17
    Join Date
    Aug 2004
    Posts
    371
    But, to be serious, NX bit definitely stops all buffer overflow attacks, which is the most common remote exploits.

    If you don't believe it, we can set up two machines, one INTEL xeon and one AMD opteron, and let hackers begin. I am willing to bet $500 on it.
      0 Not allowed!

  18. #18
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,508
    ^ That is correct.
    Linux junkie | steward.io
      0 Not allowed!

  19. #19
    Join Date
    Mar 2005
    Posts
    48
    Thats what I thought too.... f***ing lame....server is up and they are working on restoring data.

    I asked for a new ip so will see what they say this time...


    Originally posted by jt2377
    i think what voltus_99 need is a complete managed server. i tho liquidweb does all that stuff, no?
      0 Not allowed!

  20. #20
    well,

    first thing you want to do is to figure out how you were hacked. So you can stop it from happenning from the same hole again!

    look into your /tmp and see if you find any strange file there...

    Good luck.
      0 Not allowed!

  21. #21
    Join Date
    Mar 2005
    Posts
    48
    Again, is this comment for me or liquidweb?

    This is what I dont understand from you all, is it my responsibilities to do all these? whats the POINT of getting managed servers?

    If I can do all these myself, why I went with managed server in the first place?....... bah...

    Originally posted by bigmaster
    well,

    first thing you want to do is to figure out how you were hacked. So you can stop it from happenning from the same hole again!

    look into your /tmp and see if you find any strange file there...

    Good luck.
      0 Not allowed!

  22. #22
    Ok,

    look at it this way! you have a bundle of money giving it to bank and you walk away! well, if you bother counting it before you hand it to bank, you will prevent any further problem too right?

    I totally see your point, if you have managed server they should be responsible and stuff, but remember, we are using unix based systems instead of windows for similar concept. In windows we can not change the source, we have limited access... we should hope that microsoft comes and fixes the bugs right? how often do they miss a bug?
    It is the same, think about how many managed servers these people support, and how many shared hostings are on each server... you do the math who would be able to catch errors and problems faster, you or them.

    Good thing is you had backups.
    Good luck.
      0 Not allowed!

  23. #23
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Originally posted by wm2100
    But, to be serious, NX bit definitely stops all buffer overflow attacks, which is the most common remote exploits.

    If you don't believe it, we can set up two machines, one INTEL xeon and one AMD opteron, and let hackers begin. I am willing to bet $500 on it.
    its only a matter of time before an nxbit exploit happens. the hyperthreading exploit is already patched by redhat. Putting your faith into a piece of hardware.. who would of thunk
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  24. #24
    there is this script posted at http://www.myserver.us/articles/chec...ory-check.html

    What it does it will check your /tmp directory for hack attempts.
    I put this link yesterday too but looks like someone had deleted the post. Anyway, you can use similar scripts to spot common hack attempts as soon as they happen or hacker starts it. Lets say if you use a monitoring script with cron job of every 1 minute, your response time is around 1.5 minutes (waiting for the email to arrive too).

    Now think about it, if you have nothing to monitor your server, 2am server gets hacked, you are lucky that some customer calls you early in the morning or you happen to see it yourself 8am. You open a trouble ticket, if you are lucky they get back to you within an hour and and and....
      0 Not allowed!

  25. #25
    Join Date
    Aug 2004
    Posts
    371
    Originally posted by thelinuxguy
    its only a matter of time before an nxbit exploit happens. the hyperthreading exploit is already patched by redhat. Putting your faith into a piece of hardware.. who would of thunk
    I am talking about remote exploits.

    You are worrying about stuff that does not exist yet, no NX bit exploits are discovered. We are worrying about existing software flaws and NX bit stops them
      0 Not allowed!

  26. #26
    as thelinuxguy said, redhat patch is out for xeon
      0 Not allowed!

  27. #27
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Originally posted by wm2100
    I am talking about remote exploits.

    You are worrying about stuff that does not exist yet, no NX bit exploits are discovered. We are worrying about existing software flaws and NX bit stops them
    security is all about worrying, you my friend are a fool for thinking nxbit is going to save your life.. btw for your information, 90% of hacks these days are done though vulnerable php scripts then a local exploit is uploaded. not much daemon exploiting going on.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  28. #28
    Join Date
    Mar 2005
    Location
    Sydney, Australia
    Posts
    76
    Originally posted by wm2100
    But, to be serious, NX bit definitely stops all buffer overflow attacks, which is the most common remote exploits.

    If you don't believe it, we can set up two machines, one INTEL xeon and one AMD opteron, and let hackers begin. I am willing to bet $500 on it.
    What disturbs me is people's belief in technologies they do not comprehend.

    The NX bit is designed to make what is known as the 'stack' non-executable. To quickly go into the basics, the stack, which exists on every system, is a LIFO (Last in First out) data structure. Programmers who have encountered assembly would know this from dealing with that ever so wonderful ESP register (or SP for the old 16-bit dogs).

    Basic stack-based buffer overflows which were the most common until more recent attacks (such as format-string attacks, heap overflows, integer overflows and off-by-one for example) worked on the basic principle that you could send more information than a buffer in the program was designed to hold - data that overflowed, overwrote memory following after that buffer.

    Sometimes some of these overflows enable attackers to gain control of the EIP/IP (Instruction Pointer) and point it at their code, known as shellcode, which typically spawn a shell, etc.

    So what's this got to do with the NX bit?


    Take stack-based overflows for example. After overflowing the buffer and gaining control of EIP, they have to point it at somewhere to do something useful. So, either prepared before hand or stuffed in the buffer, depending on the vulnerability at hand, usually they will attempt to execute code they've stored on the stack.

    The NX-bit, PaX and several other patches for various operating systems employ what is known as a NON-EXECUTABLE stack. In other words, can read and write but can't run code on that page of memory.


    Guess I'm getting a bit overboard... wm2100 and anyone else reading this post. Non-executable stack patches, whether at kernel-level, or the hardware-level, are not new.

    Second myth to dispel. They do not stop attacks. They do not prevent the buffer from being overrun. All they do is check to see if EIP is sitting in a data page or not.

    Furthermore - there are security whitepapers for working around these security patches, or in some cases as thelinuxguy has said - they do develop ways of defeating said protection.

    What's even more scary is that you're claiming he should go to an AMD64 system and it will solve all his problems. How do you know that the problem wasn't:

    a) Weak password
    b) Misconfigured permissions
    c) Hole in web-based application

    There are many security areas to cover - and buffer overflows are only one way of gaining control, or part thereof.

    If you are still dubious about this, I suggest you read papers regarding return-into-libc methods for defeating non-executable stacks, and also have a further look around security sites. You just might be suprised to find that the NX-bit, or PaX, or exec shield are just one cog in a big wheel, instead of saying one solution will solve all this person's woes.
    http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
    Server administration / Emergency work / Security handling available on request - private message/email for quote or more information
      0 Not allowed!

  29. #29
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    I would have to go with Steve here. Most exploits are through poorly coded PHP scripts.

    --GSV
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      0 Not allowed!

  30. #30
    Join Date
    Mar 2005
    Location
    Sydney, Australia
    Posts
    76
    Same - most of the attacks at the moment have just been via web applications, PhpBB being the most relevant one to bring up
    http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
    Server administration / Emergency work / Security handling available on request - private message/email for quote or more information
      0 Not allowed!

  31. #31
    Join Date
    May 2004
    Location
    madison, wi
    Posts
    839
    In the end you, voltus, are responsible. If you aren't responsible for the work, you are responsible to make sure it is complete. Had to lay down some tough love.
      0 Not allowed!

  32. #32
    phpbb and advance guestbook. Two things to look for on any server by the admin!

    As you said these days most hacks are through php and through clients that they don't know much themselves. That's why everytime I see a host offering EVERYTHING, I wonder what kind of an admin is behind that system!
      0 Not allowed!

  33. #33
    Join Date
    Oct 2003
    Location
    Chicago, IL
    Posts
    654
    We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
    Zac Cogswell
    WiredTree Fully Managed VPS and Dedicated Hosting | Average Helpdesk Response <15 Minutes, 24x7 Instant Phone Support
    Follow us on Twitter: @WiredTree | Like us on Facebook: facebook.com/WiredTree
    zac @ wiredtree.com | toll-free: 1.866.523.8733 local: +1.312.447.0510
      0 Not allowed!

  34. #34
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    If it is social engineering based - no matter how many security layers you have the person still has access, can't really fix that.

    --GSV
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      0 Not allowed!

  35. #35
    Originally posted by serverunion
    In the end you, voltus, are responsible. If you aren't responsible for the work, you are responsible to make sure it is complete. Had to lay down some tough love.
    A busy one.
      0 Not allowed!

  36. #36
    Join Date
    Feb 2004
    Location
    Your Screen
    Posts
    3,998
    Originally posted by voltus_99
    Again, is this comment for me or liquidweb?
    You. It's your server.

    Bailey
    Let's Connect on Twitter! @thatsmsgeek2u || Fighting mediocrity one thread at a time.
      0 Not allowed!

  37. #37
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Originally posted by LiquidwebZac
    We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
    Just to comment on this one. Although I disagree with the thread starter that you should do everything for him. It begs the question, what sort of "basic" security do you enforce on managed servers. Surely if it happened before you would have reported as in what was hacked before to the customer? Sorry if this sounds negative, just very strange that it has happened again.

    To the thread starter, you have to understand managed servers does NOT mean they will do every single thing for your server, they provided a basic managed server. Ofcourse some companys are different, it just depends how important that part of there setup is to them personally.

    I understand you may be unable to manage your own servers which is why outsourced managed companys exist.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]
      0 Not allowed!

  38. #38
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    Originally posted by cpanelgh0st
    What disturbs me is people's belief in technologies they do not comprehend.

    The NX bit is designed to make what is known as the 'stack' non-executable. To quickly go into the basics, the stack, which exists on every system, is a LIFO (Last in First out) data structure. Programmers who have encountered assembly would know this from dealing with that ever so wonderful ESP register (or SP for the old 16-bit dogs).

    Basic stack-based buffer overflows which were the most common until more recent attacks (such as format-string attacks, heap overflows, integer overflows and off-by-one for example) worked on the basic principle that you could send more information than a buffer in the program was designed to hold - data that overflowed, overwrote memory following after that buffer.

    Sometimes some of these overflows enable attackers to gain control of the EIP/IP (Instruction Pointer) and point it at their code, known as shellcode, which typically spawn a shell, etc.

    So what's this got to do with the NX bit?


    Take stack-based overflows for example. After overflowing the buffer and gaining control of EIP, they have to point it at somewhere to do something useful. So, either prepared before hand or stuffed in the buffer, depending on the vulnerability at hand, usually they will attempt to execute code they've stored on the stack.

    The NX-bit, PaX and several other patches for various operating systems employ what is known as a NON-EXECUTABLE stack. In other words, can read and write but can't run code on that page of memory.


    Guess I'm getting a bit overboard... wm2100 and anyone else reading this post. Non-executable stack patches, whether at kernel-level, or the hardware-level, are not new.

    Second myth to dispel. They do not stop attacks. They do not prevent the buffer from being overrun. All they do is check to see if EIP is sitting in a data page or not.

    Furthermore - there are security whitepapers for working around these security patches, or in some cases as thelinuxguy has said - they do develop ways of defeating said protection.

    What's even more scary is that you're claiming he should go to an AMD64 system and it will solve all his problems. How do you know that the problem wasn't:

    a) Weak password
    b) Misconfigured permissions
    c) Hole in web-based application

    There are many security areas to cover - and buffer overflows are only one way of gaining control, or part thereof.

    If you are still dubious about this, I suggest you read papers regarding return-into-libc methods for defeating non-executable stacks, and also have a further look around security sites. You just might be suprised to find that the NX-bit, or PaX, or exec shield are just one cog in a big wheel, instead of saying one solution will solve all this person's woes.
    &nbsp;

    /me bows.&nbsp; good post.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support
      0 Not allowed!

  39. #39
    Join Date
    Mar 2005
    Location
    Sydney, Australia
    Posts
    76
    Originally posted by LiquidwebZac
    We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
    Define up-to-date. :/ Hope the intrusion wasn't too bad though (complete server takeover)... last few intrusions Ive had to deal with this month were basic attacks, thanks to web apps and basic passwords.

    Interesting enough, at time of writing, there are a few outstanding flaws in the Linux kernel alone, not to mention a couple of new PHP flaws.

    (Do note, that while that some are listed as DoS vulnerabilities, the kernel ones have had a habit of turning into privelege esclataion in some cases... i.e. bluetooth bug)

    OpenSSH SCP Client File Corruption Vulnerability - http://www.securityfocus.com/bid/9986

    Linux Kernel 64 Bit PTrace Segment Base Address Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13891

    Linux Kernel MMap Invalid Memory Region Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13893

    Linux Kernel Auditing Code Unspecified Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13895

    Multiple Linux Kernel IOCTL Handlers Local Memory Corruption Vulnerabilities - http://www.securityfocus.com/bid/13651

    PHP Group PHP Remote JPEG File Format Remote Denial Of Service Vulnerability - http://www.securityfocus.com/bid/12963

    PHP Group PHP Image File Format Remote Denial Of Service Vulnerability - http://www.securityfocus.com/bid/12962
    http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
    Server administration / Emergency work / Security handling available on request - private message/email for quote or more information
      0 Not allowed!

  40. #40
    Join Date
    Jul 2002
    Posts
    3,352
    Originally posted by bigmaster
    Ok,

    look at it this way! you have a bundle of money giving it to bank and you walk away! well, if you bother counting it before you hand it to bank, you will prevent any further problem too right?
    bank will manage your money, help you keep track of record and if someone try to use your debit card or withdraw money from you. it's their duty to stop any unauthroized useage (hacker). Even if bank get robbed, they are insured up the ying-yang that you won't lose a dime.

    if a provider (bank) offer managed server (safe valut/checking account). it's provider's job to keep your money/valueable safe. unless your contract/checking account stated otherwise. if provider (bank) didn't do their job. what's the point of renting a safe valut (managed server) at bank for? you should keep your valueable at home then since keeping it at bank is no different than your home. what's the point of paying extra fee to manage your server? LiquidWeb might as well sell their server for less and say it's unmanaged.

    OP should check with LiquidWeb on what type of manged service is offer and what will liquidWeb do if they fail the SLA.
    Last edited by jt2377; 06-08-2005 at 11:46 PM.
      0 Not allowed!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •