D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Server got hacked


On 25/11/13 15:56, Martijn Grooten wrote:
Didn't see a lot of failed attempts at login and I block ip's that fail after 5 times, could have been a low level attack over months I suppose.

That seems unlikely, unless they really targeted you. Given how little effort they subsequently made, that doesn't seem to be the case.

Even then, it would only be possible if the password wasn't at least moderately secure.
Which is is/was 13 bytes, mixed upper/lower case, digits and a hyphen

Other way was I have discovered the root password and the mysql DB password where the same, so it might have been exposed in some web script and they took a punt on it being the same.

That seems far more likely. It's the kind of thing one can easily automate.

Are you running some widely used piece of web software that makes uses of MySQL (WordPress, Joomla, vBulletin, phpBB etc)? If so, I would make sure this is updated to the latest version.
joomla, unfortunately, upgrading is no longer possible. I have been through the possible attacks list and we are not exposed to the known one's

Think it was a script kiddy who didn't know much, since it would not have been that hard to work out what was happening.

It could also have been a (semi-)automated attack.
Looking at the cli history, I don't think so.

Bit more concerned on the the root password guess, had not been changed for a while it turns out either, so going to have to fix that issue.

I don't think changing passwords regularly is necessary in most cases. Making sure the root password is something that isn't used elsewhere - and definitely not on the same system - is essential though. And make sure it is reasonably secure.

And, as other have pointed out, not allowing root SSH access is a pretty sensible thing to do.

Not possible, but I have tied it down to the hosts that need it.
I don't like not having root access. Yes I know you can su, but have you ever been in the situation where you can't login to su? I have... can't remember what the issue was now, luckily someone was in the server room that could logon.


Email: stinga+dclug@xxxxxxxxxxxxx   o
You need only two tools.        o /////
A hammer and duct tape. If it    /@   `\  /) ~
doesn't move and it should use  >  (O)  X<  ~  Fish!!
the hammer. If it moves and      `\___/'  \) ~
shouldn't, use the tape.           \\\

The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq