[volunteergrid2-l] my server has been hacked

Johannes Nix Johannes.Nix at gmx.net
Thu Mar 8 00:14:10 UTC 2012


Hello,

> the password of my user has been a 10 chars long semi random password
> created by 'apg'. it looked something like 'EljadWole5'. i had the
> password for about a year which i think is too long.

I think the time alone is not a high risk (maybe I'm wrong). However, 
if a password with a length of less than about 15 characters 
is used in another place and its hash is robbed after hacking the 
site, it would be quite easy to crack it quickly with today's  method of 
choice (rainbow tables). I believe it's usually better to have a
18-character password on a piece of paper in the purse than a short one
memorized in the head. Smartcards can help as well.

Some people suggest to use a long enough combination of several natural
words which is much less susceptible to that kind of attack.

--> http://xkcd.com/936/

Regards,

Johannes


On Wed, 7 Mar 2012 23:39:50 +0100
sabotrax at gmail.com wrote:

> i really don't know. the system has been a fully patched ubuntu 11.04.
> external services were tahoe, ssh, postfix, apache, tor, polipo, f*ex,
> subsonic and ownloud (under apache).
> all but the last two were ubuntu packages, so i assume they were ok.
> no daemon was configured unsafe (like fancy apache modules or such).
> subsonic (a music streaming server) did run with non-root privs.
> owncloud (a private cloud software) is implemented as a php script and
> runs as the apache user (www-data).
> the password of my user has been a 10 chars long semi random password
> created by 'apg'. it looked something like 'EljadWole5'. i had the
> password for about a year which i think is too long.
> yesterday i installed debian 6.0.4 and i like to keep it running with
> less packages and services. i secured ssh with one time passwords
> (opie) now.
> 
> 
> 2012/3/7 Brad Rupp <bradrupp at gmail.com>:
> > I would be curious to know if you figured out how they hacked you.
> >  That is good information for all of us to know to make sure we
> > don't have similar holes.
> >
> > Brad
> >
> >
> > On 3/6/2012 8:55 AM, sabotrax at gmail.com wrote:
> >>
> >> Hi all,
> >> it seems as if my server who is running tahoe has been hacked.
> >> i hate to say this, but i think the introducer furl has to be
> >> changed again.
> >>
> >> i just looked around my system when i saw a new dir "test" under
> >> "/home" that has been created on 2012/02/21.
> >> i then did:
> >>
> >> root at foo:/home# lsof |grep test
> >> bash       1458       test  cwd       DIR               0,18
> >>  460 6108855 /run/shm/   /   /bot
> >> bash       1458       test  rtd       DIR                8,1
> >> 4096 2 /
> >> bash       1458       test  txt       REG               0,18
> >> 492135 6108126 /run/shm/   /   /bot/bash
> >> bash       1458       test  mem       REG                8,1
> >>  79712 14811193 /lib32/libresolv-2.13.so
> >> bash       1458       test  mem       REG                8,1
> >>  46736 14811192 /lib32/libnss_files-2.13.so
> >> bash       1458       test  mem       REG                8,1
> >>  1532104 14811189 /lib32/libc-2.13.so
> >> bash       1458       test  mem       REG                8,1
> >>  22092 14811194 /lib32/libnss_dns-2.13.so
> >> bash       1458       test  mem       REG                8,1
> >> 126152 14811196 /lib32/ld-2.13.so
> >> bash       1458       test    0w      REG               0,18
> >>  2153806 6108891 /run/shm/   /   /bot/LinkEvents
> >> bash       1458       test    1u     sock                0,7
> >>  0t0 85480587 can't identify protocol
> >> bash       1458       test    2u     sock                0,7
> >>  0t0 85479769 can't identify protocol
> >> bash       1458       test    3u     IPv4            6108142
> >>  0t0 UDP *:49486
> >> bash       1458       test    4u     sock                0,7
> >>  0t0 85481277 can't identify protocol
> >> bash       1458       test    5u     sock                0,7
> >>  0t0 85698092 can't identify protocol
> >> bash       1458       test    6u     sock                0,7
> >>  0t0 85498612 can't identify protocol
> >> bash       1458       test    7u     sock                0,7
> >>  0t0 85576571 can't identify protocol
> >> bash       1458       test    8u     sock                0,7
> >>  0t0 86667704 can't identify protocol
> >> bash       1458       test    9u     sock                0,7
> >>  0t0 86667741 can't identify protocol
> >> bash       1458       test   10u     sock                0,7
> >>  0t0 86669526 can't identify protocol
> >> bash       1458       test   11u     sock                0,7
> >>  0t0 86669303 can't identify protocol
> >> bash       1458       test   12u     sock                0,7
> >>  0t0 86671788 can't identify protocol
> >> bash       1458       test   13u     sock                0,7
> >>  0t0 86670345 can't identify protocol
> >> bash       1458       test   14u     IPv4           89167118
> >>  0t0 TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
> >> (SYN_SENT)
> >> bash       1458       test   15u     sock                0,7
> >>  0t0 86671794 can't identify protocol
> >> bash       1458       test   16u     sock                0,7
> >>  0t0 86707925 can't identify protocol
> >> bash       1458       test   17u     sock                0,7
> >>  0t0 87574595 can't identify protocol
> >> bash       1458       test   18u     IPv4           89167113
> >>  0t0 TCP
> >> foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
> >> root at foo:/home# halt
> >> W: molly-guard: SSH session detected!
> >> Please type in hostname of the machine to halt: foo
> >>
> >> An alle Benutzer verteilte Nachricht von undo at foo
> >>         (/dev/pts/0) um 16:24 ...
> >>
> >> Das System wird sich JETZT zum Anhalten herunterfahren!
> >>
> >> ---
> >>
> >> looks like my box has been a proud member of some botnet for the
> >> last two weeks.
> >> atm i really don't know how this could have happened. i just
> >> wanted to tell you guys as fast as possible.
> >>
> >> greetings,
> >> marcus
> >>
> > _______________________________________________
> > volunteergrid2-l mailing list
> > volunteergrid2-l at tahoe-lafs.org
> > http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> > http://bigpig.org/twiki/bin/view/Main/WebHome
> 
> 
> 



More information about the volunteergrid2-l mailing list