So some of you may know that this web site was hacked.
What I know:
- The SSH daemon service was modified by the attacker's own version, presumably to make it easier for he/she to get in. The attacker also installed a small program to scan other computers for vulnerabilities.
- The attacker had access to all files on the server, including the SSL private key, and all password hashes (which means s/he could brute force the hashes to figure out the real passwords).
- It's possible that other files were modified without my knowledge. In order to do this, the timestamp on the files would have had to be modified. (I checked the timestamps to determine what had changed)
What I suspect:
- I suspect that the attacker got in September 15th, 2009 via automated attack. Then around October 13th, the attacker installed the vulnerability scanners which is what tipped me off that a problem existed (because the server was going so slow).
- I suspect that the attacker got in via a vulnerability in SSH but I don't know this for sure. This means that there is potentially still a security hole in the site.
- I suspect that the attack was automated by a script.
- I suspect that the attacker probably did not try to steal any sensitive data and was more interested in "owning" the box for attacks on other boxes. Nevertheless, I must assume that all sensitive data was taken.
What I have done:
- All my passwords have been changed (I suggest you do the same).
- SSH is no longer accessible by the world (I was stupid to allow that in the first place). Other firewall rules have been tightened up (only HTTP and HTTPS ports are open now).
- I did a reformat and fresh OS install on the server (to get rid of unknown rootkits)
- I restored the WWW files from a July backup, before the attack took place.
- I restored the database as it was during the attack in order to preserve the message board and other recent activity. This means that the attacker could've meddled with the database, but I kinda doubt it and even if s/he did, I don't see how it would benefit him/her.
What I have not done:
For now I have not changed the SSL server.key despite the risk of the attacker having it. This seems like the right decision based on the cost of getting a new certificate for the private key and the cost of what it would mean if the attacker successfully sniffed HTTPS sessions VS the likelihood that the attacker stole the original private key and has the means to sniff said HTTPS sessions (which I consider unlikely). Most people never liked me using HTTPS in the first place anyway.
