Server Issue today

Where to report problems with the forum so that they might be fixed.
Post Reply
User avatar
bio
Resident Junky
Posts: 6644
Joined: Tue Dec 31, 2002 12:24 pm
Location: Spokane, WA
Has thanked: 26 times
Been thanked: 43 times
Contact:

Server Issue today

Post by bio » Fri Dec 17, 2004 11:27 am

Apparently, someone figured out a way to drop an IRC bot on the server through apache. Jester and I are looking into it.

In the meantime, the server may be unavailable from time to time as we remove thus said bot and update the security and such.

Damn script kiddies.

EDIT: Actually... there was more than just an IRC bot. Jester found crap all over the drive. Apparently there was a security hole in ssh that was announced a few days ago. We now believe that's how they gained access (we've updated everything and will monitor).
"That's What"
- She
User avatar
AsaJay
pantera pilot
Posts: 596
Joined: Wed Sep 10, 2003 8:56 am
Location: Greater Pacific Northwest

Post by AsaJay » Fri Dec 17, 2004 11:41 am

Dude, it's -got- to be the domain name. I mean just look at your stats! Half the people hitting your site are looking for pron. The SK must think it's a good place to drop stuff like this.

By the way, how did you discover the bot?
User avatar
bio
Resident Junky
Posts: 6644
Joined: Tue Dec 31, 2002 12:24 pm
Location: Spokane, WA
Has thanked: 26 times
Been thanked: 43 times
Contact:

Post by bio » Fri Dec 17, 2004 12:11 pm

I didn't.... Jester did.

He was configuring spam assasin on the server and was looking at the running services to verity it was running. He saw things that made him curious so he did some digging.

I found a couple more and we killed those as well.

Crap like this makes me grumpy.
"That's What"
- She
User avatar
AsaJay
pantera pilot
Posts: 596
Joined: Wed Sep 10, 2003 8:56 am
Location: Greater Pacific Northwest

Post by AsaJay » Fri Dec 17, 2004 2:14 pm

Thankfully, you both are familiar enough with the processes that -should- be running, that you tend to suspect things that don't look right.

I can imagine it makes you grumpy.

A new article on /. this morning indicated new vulnerabilities found in PHP, and they had samples that affected phpBB.

Make sure you upgrade PHP dude.
User avatar
bio
Resident Junky
Posts: 6644
Joined: Tue Dec 31, 2002 12:24 pm
Location: Spokane, WA
Has thanked: 26 times
Been thanked: 43 times
Contact:

Post by bio » Fri Dec 17, 2004 9:29 pm

We ran a full ap-get upgrade. All packages got the treatment.
"That's What"
- She
User avatar
bio
Resident Junky
Posts: 6644
Joined: Tue Dec 31, 2002 12:24 pm
Location: Spokane, WA
Has thanked: 26 times
Been thanked: 43 times
Contact:

Post by bio » Sun Dec 19, 2004 12:21 pm

Jester called me last night because we still had a bunch of processes running that shouldn't be... kinda.

I had 53 instances of "perl" that were of status "zombie" (because the file that it was supposed to run was missing). These were pointing to the applications that Jester located and removed from the system. All were running under the owner "www-data".

So... a quick reboot of the system and they're all gone. Looks like we're clean again (crossing my fingers). If not, we may have to take the server off-line, backup all the sql db's, user dirs, mail, etc., then apply the cleansing flame and start over.

*sigh*

I hate crap like this.
"That's What"
- She
Post Reply