It is currently Sun May 16, 2021 1:24 am


All times are UTC [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: www.daphne-emu.com hacked
PostPosted: Sun Oct 18, 2009 12:29 am 
DAPHNE Creator
DAPHNE Creator

Joined: Sat Jan 20, 2001 1:00 am
Posts: 2125
Location: Salt Lake City,Utah, USA
So some of you may know that this web site was hacked.

What I know:
- The SSH daemon service was modified by the attacker's own version, presumably to make it easier for he/she to get in. The attacker also installed a small program to scan other computers for vulnerabilities.
- The attacker had access to all files on the server, including the SSL private key, and all password hashes (which means s/he could brute force the hashes to figure out the real passwords).
- It's possible that other files were modified without my knowledge. In order to do this, the timestamp on the files would have had to be modified. (I checked the timestamps to determine what had changed)

What I suspect:
- I suspect that the attacker got in September 15th, 2009 via automated attack. Then around October 13th, the attacker installed the vulnerability scanners which is what tipped me off that a problem existed (because the server was going so slow).
- I suspect that the attacker got in via a vulnerability in SSH but I don't know this for sure. This means that there is potentially still a security hole in the site.
- I suspect that the attack was automated by a script.
- I suspect that the attacker probably did not try to steal any sensitive data and was more interested in "owning" the box for attacks on other boxes. Nevertheless, I must assume that all sensitive data was taken.

What I have done:
- All my passwords have been changed (I suggest you do the same).
- SSH is no longer accessible by the world (I was stupid to allow that in the first place). Other firewall rules have been tightened up (only HTTP and HTTPS ports are open now).
- I did a reformat and fresh OS install on the server (to get rid of unknown rootkits)
- I restored the WWW files from a July backup, before the attack took place.
- I restored the database as it was during the attack in order to preserve the message board and other recent activity. This means that the attacker could've meddled with the database, but I kinda doubt it and even if s/he did, I don't see how it would benefit him/her.

What I have not done:
For now I have not changed the SSL server.key despite the risk of the attacker having it. This seems like the right decision based on the cost of getting a new certificate for the private key and the cost of what it would mean if the attacker successfully sniffed HTTPS sessions VS the likelihood that the attacker stole the original private key and has the means to sniff said HTTPS sessions (which I consider unlikely). Most people never liked me using HTTPS in the first place anyway. :)


Top
Offline Profile  
 
 Post subject:
PostPosted: Sun Oct 18, 2009 5:40 pm 
Registered User
Registered  User

Joined: Sun Sep 27, 2009 1:49 am
Posts: 20
Location: Kennesaw, GA - USA
Welcome back to Daphne forums. It's good to see the site back up.


Darryl


Top
Offline Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net