[volunteergrid2-l] my server has been hacked
Johannes Nix
Johannes.Nix at gmx.net
Thu Mar 8 00:14:10 UTC 2012
Hello,
> the password of my user has been a 10 chars long semi random password
> created by 'apg'. it looked something like 'EljadWole5'. i had the
> password for about a year which i think is too long.
I think the time alone is not a high risk (maybe I'm wrong). However,
if a password with a length of less than about 15 characters
is used in another place and its hash is robbed after hacking the
site, it would be quite easy to crack it quickly with today's method of
choice (rainbow tables). I believe it's usually better to have a
18-character password on a piece of paper in the purse than a short one
memorized in the head. Smartcards can help as well.
Some people suggest to use a long enough combination of several natural
words which is much less susceptible to that kind of attack.
--> http://xkcd.com/936/
Regards,
Johannes
On Wed, 7 Mar 2012 23:39:50 +0100
sabotrax at gmail.com wrote:
> i really don't know. the system has been a fully patched ubuntu 11.04.
> external services were tahoe, ssh, postfix, apache, tor, polipo, f*ex,
> subsonic and ownloud (under apache).
> all but the last two were ubuntu packages, so i assume they were ok.
> no daemon was configured unsafe (like fancy apache modules or such).
> subsonic (a music streaming server) did run with non-root privs.
> owncloud (a private cloud software) is implemented as a php script and
> runs as the apache user (www-data).
> the password of my user has been a 10 chars long semi random password
> created by 'apg'. it looked something like 'EljadWole5'. i had the
> password for about a year which i think is too long.
> yesterday i installed debian 6.0.4 and i like to keep it running with
> less packages and services. i secured ssh with one time passwords
> (opie) now.
>
>
> 2012/3/7 Brad Rupp <bradrupp at gmail.com>:
> > I would be curious to know if you figured out how they hacked you.
> > That is good information for all of us to know to make sure we
> > don't have similar holes.
> >
> > Brad
> >
> >
> > On 3/6/2012 8:55 AM, sabotrax at gmail.com wrote:
> >>
> >> Hi all,
> >> it seems as if my server who is running tahoe has been hacked.
> >> i hate to say this, but i think the introducer furl has to be
> >> changed again.
> >>
> >> i just looked around my system when i saw a new dir "test" under
> >> "/home" that has been created on 2012/02/21.
> >> i then did:
> >>
> >> root at foo:/home# lsof |grep test
> >> bash 1458 test cwd DIR 0,18
> >> 460 6108855 /run/shm/ / /bot
> >> bash 1458 test rtd DIR 8,1
> >> 4096 2 /
> >> bash 1458 test txt REG 0,18
> >> 492135 6108126 /run/shm/ / /bot/bash
> >> bash 1458 test mem REG 8,1
> >> 79712 14811193 /lib32/libresolv-2.13.so
> >> bash 1458 test mem REG 8,1
> >> 46736 14811192 /lib32/libnss_files-2.13.so
> >> bash 1458 test mem REG 8,1
> >> 1532104 14811189 /lib32/libc-2.13.so
> >> bash 1458 test mem REG 8,1
> >> 22092 14811194 /lib32/libnss_dns-2.13.so
> >> bash 1458 test mem REG 8,1
> >> 126152 14811196 /lib32/ld-2.13.so
> >> bash 1458 test 0w REG 0,18
> >> 2153806 6108891 /run/shm/ / /bot/LinkEvents
> >> bash 1458 test 1u sock 0,7
> >> 0t0 85480587 can't identify protocol
> >> bash 1458 test 2u sock 0,7
> >> 0t0 85479769 can't identify protocol
> >> bash 1458 test 3u IPv4 6108142
> >> 0t0 UDP *:49486
> >> bash 1458 test 4u sock 0,7
> >> 0t0 85481277 can't identify protocol
> >> bash 1458 test 5u sock 0,7
> >> 0t0 85698092 can't identify protocol
> >> bash 1458 test 6u sock 0,7
> >> 0t0 85498612 can't identify protocol
> >> bash 1458 test 7u sock 0,7
> >> 0t0 85576571 can't identify protocol
> >> bash 1458 test 8u sock 0,7
> >> 0t0 86667704 can't identify protocol
> >> bash 1458 test 9u sock 0,7
> >> 0t0 86667741 can't identify protocol
> >> bash 1458 test 10u sock 0,7
> >> 0t0 86669526 can't identify protocol
> >> bash 1458 test 11u sock 0,7
> >> 0t0 86669303 can't identify protocol
> >> bash 1458 test 12u sock 0,7
> >> 0t0 86671788 can't identify protocol
> >> bash 1458 test 13u sock 0,7
> >> 0t0 86670345 can't identify protocol
> >> bash 1458 test 14u IPv4 89167118
> >> 0t0 TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
> >> (SYN_SENT)
> >> bash 1458 test 15u sock 0,7
> >> 0t0 86671794 can't identify protocol
> >> bash 1458 test 16u sock 0,7
> >> 0t0 86707925 can't identify protocol
> >> bash 1458 test 17u sock 0,7
> >> 0t0 87574595 can't identify protocol
> >> bash 1458 test 18u IPv4 89167113
> >> 0t0 TCP
> >> foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
> >> root at foo:/home# halt
> >> W: molly-guard: SSH session detected!
> >> Please type in hostname of the machine to halt: foo
> >>
> >> An alle Benutzer verteilte Nachricht von undo at foo
> >> (/dev/pts/0) um 16:24 ...
> >>
> >> Das System wird sich JETZT zum Anhalten herunterfahren!
> >>
> >> ---
> >>
> >> looks like my box has been a proud member of some botnet for the
> >> last two weeks.
> >> atm i really don't know how this could have happened. i just
> >> wanted to tell you guys as fast as possible.
> >>
> >> greetings,
> >> marcus
> >>
> > _______________________________________________
> > volunteergrid2-l mailing list
> > volunteergrid2-l at tahoe-lafs.org
> > http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> > http://bigpig.org/twiki/bin/view/Main/WebHome
>
>
>
More information about the volunteergrid2-l
mailing list