Server break-in

SpindleyQ's picture

Hi all,
So, the server what hosts Glorious Trainwrecks Dot Com was compromised on December 16th, 2010. If you are interested in gory technical details, this guy had a very similar experience to mine.

Since this attack appears to have happened to a bunch of other servers, I have no reason to believe that we were targetted specifically. I don't even know if they did anything with root access, once they got it. I don't see much evidence, in the way of new files, that they did. Considering they were so sloppy about breaking in that they left the source code of their rootkit lying around and didn't clear my outgoing mail server's error logs when they broke it, I'm willing to believe that they didn't really care too much if their activities were discovered.

I do know that they broke our outgoing email, so new users trying to sign up did not receive their confirmation emails, and no one got mail reminding them about Klik of the Month. Investigating that was what led me to discovering this hack.

I have kicked the intruders off of my box, upgraded my system to patch the security holes they used to get in, and manually uninstalled the rootkit (which thankfully was pretty simple).

However, the lovely thing about rootkits is that you can't necessarily tell for certain what was done to you. So I don't know if they've snooped in our database to try and extract passwords, for example. Drupal 5's default password hashing scheme is miserable, and I regret not having set up an improved scheme before this happened. If you are security conscious, you may want to change your password, here and anywhere else you use the same password.

I am confident enough in my recovery that I am keeping the site up; however, moving the site to a clean server reinstalled from scratch is something I plan to attempt to do soon, for everyone's peace of mind.

tl;dr: Romanian script kiddies may or may not be trying to sell your password on the black market.

snapman's picture

:(

:(

Harrymatic's picture

OH DEAR GOD NOW THEY'VE GOT

OH DEAR GOD NOW THEY'VE GOT MY PASSWORD THEY ARE GOING TO MAKE TRAINWRECKS UNDER MY NAME
OH THE HUMANITY

SpindleyQ's picture

Well, you might have used

Well, you might have used the same password somewhere more important, is all.

Harrymatic's picture

I realise this, but I find

I realise this, but I find it rather absurd that they would want to break into Glorious Trainwrecks of all sites.

Danni's picture

It was an automated attack.

It was an automated attack that hit a number of servers without discrimination. The fact that it hit Glorious Trainwrecks was merely coincidental.

pensive-mosquitoes