Hey admins - URGENT.

Discussion in 'General chat' started by dgriffith, Oct 23, 2008.

  1. dgriffith

    dgriffith Junior Member

    Joined:
    Nov 30, 2006
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Nobody's found a definite point-of-entry for this yet, have they?
    I only say that because reloading your OS/etc to the previous backup simply means that whatever means they used to get root before is still there.

    I don't have/do any hosting, so I can't really comment on how providers set things up, but a brute force attack on targeting shell access (eg. a log full of "incorrect password for root" ) should be something rather noticeable. I guess running tripwire on the system would be useful as well, for after-the-fact alerting.

    Besides that, aren't login failures be throttled to some extent? (eg locally, when I mistype my password, I get a few seconds delay before "sorry, wrong password" shows up). Makes brute-forcing logins kind of slow when you can only try 15 a minute... or can you open 300 simultaneous shell logins and cut loose?
     
  2. dylanz

    dylanz Junior Member

    Joined:
    Nov 8, 2007
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    dgriffith, I'm highly doubting it was a brute force attack to be honest. In LT's email, they said that access to their dashboard "now" requires SSL. It should have required it in the first place. Do the hosting providers use the same admin UI ? CPanel ? Something similar ? Also, tons of users are probably connecting through random networks via FTP, which is another huge problem. It would be great if anybody had any specifics... but... doesn't seem like it thus far :(
     
  3. fr34k123

    fr34k123 Guest

    Re: Hey admins - URGENT.

    Hi - not sure if this helps - but my specific host is bringing in the help of a security specialist to help sort out this mess - to me it's all gibberish, but someone knowlegable may know what their repair methods mean in relation to the attack and how serious it actually is, here's what the security specialist is going to do on all our affected servers:

    1) The SHS Rootkit virus is totally removed
    2) He will find and remove every single exploit on the server - the avg
    per server is over 9,000 locations
    3) He will find and remove every single infected code on the server
    4) Once that is done we as the Managed Server provider can step back in
    and update everything else post-fix
    5) We will then insure the fix includes a special
    firewall setup, port number change and rolling password methods

    Hope this helps - ive i personally have no knowledge in servers and the managing/running of thgem - but hopefully this information may help others to determine the seriousness/or not of this hack/virus.
     
  4. valuedcustomer

    valuedcustomer New Member

    Joined:
    Oct 25, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Did anyone else receive a similar notice from LT or a downstream provider such as zipservers.com? I received this notice from zipservers on 10/03. My server was affected on 10/23.

    Dear Customer,

    As part of our Managed Services (offered at no charge to your account), we would like to update your server root password and control panel login credentials as a security precaution. Updating passwords on a regular basis is a good idea and we noticed it's been awhile since you updated yours.

    Our managed services team can perform this update in a matter of minutes and notify you once completed. The new credentials will be reflected within your https://my.zipsupport.com account.

    Do we have your permission to update your login credentials?

    If you wish to update your own credentials, feel free to do so. Simply notify us that you wish to handle this on your own.

    ZipServers recommends a password update every month.

    Thank you for choosing ZipServers.

    Regards,
    Customer Support Technician
    ZipServers, Inc.

    Customer Support Technician | ZipServers.com
     
  5. dgriffith

    dgriffith Junior Member

    Joined:
    Nov 30, 2006
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    I have to say that these kind of emails from providers out of the blue always sound suspicious to me.

    "hey, er, it's been a while since you updated your root password - we'll give you a hand to update it. At no charge, even! Aren't we great!"

    equals :

    "Someone got in and compromised our user database and now we're frantically trying to cover our ass without alerting end users."

    But I guess I'm just a cynic. Kudos to them for offering this security service to you. :lol:
     

Share This Page

-->