Eeep! I was hacked

On 2004-08-30, Augustus <Imperial.Palace.TakeThisOut@Rome.com> wrote:
 > Lately (last 4 or 5 months) I've been just backing up the critical stuff
 > from the server to CDRoms... but last night I thought I would do a full back
 > up.
 >
 > Normally everything fits on one 40GB tape... but much to my surprise the
 > drive starts beeping me at 1am and asking for a second tape and telling me
 > its only 60% complete.
 >
 > So this morning I take a good look around the server... and much to my
 > surprise I find that somebody stashed some 32GB worth of movies (in German
 > and Turkish) on my hard drive back in mid May

I'm not sure which is worse:

1. You haven't done a full back up since May
2. You haven't done a complete "walk thru" of your hard drive since May.
3. You don't know what's on your hard drive
4. You ran your server without a firewall

Hmmmm

Oh, those movies, they porn. Just curious.

ken<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eeep! I was hacked 

"Kenneth" <Kenneth RemoveThis @nowhere.special> wrote in message
news:slrncj7d91.maa.Kenneth@localhost.localdomain...
 > On 2004-08-30, Augustus <Imperial.Palace RemoveThis @Rome.com> wrote:
 >
 > I'm not sure which is worse:
 >
 > 1. You haven't done a full back up since May

Maybe... but the only thing on the server is the software for the websites
themselves. If we "lost it all" we could re-install from scratch and
restore the websites and databases from the CDRoms

 > 2. You haven't done a complete "walk thru" of your hard drive since May.

Its been longer than since May

But like I say these files were hidden in the Windows Media Player folder...
thats not something I think I've ever run on the server

 > 3. You don't know what's on your hard drive

I should probably have a better idea of whats a normal "free space" for the
hard drive. We are opening up a second office down in Phoenix so I was
figuring they had made CD images so they could install to laptops to demo
the sites.

 > 4. You ran your server without a firewall

Yeah that was a boo boo... the license on our firewall software expired and
I was trying some new stuff out. But the new firewall was blocking email
from the websites to the mail server and so I just turned the firewall off
until we got it resolved and wound up never getting back to it cuz the thing
seemed to be running smoothly without it.

 > Hmmmm
 >
 > Oh, those movies, they porn. Just curious.

Alas, no. There was no porn... mostly just popular movies that came out on
DVD in the first part of this year.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eeep! I was hacked 

Kenneth wrote:

 > I'm not sure which is worse:
 >
 > 1. You haven't done a full back up since May

I can't do a full back up. Remote server. Wouldn't do that anyway, just
the non-standard files. The OS can always be restored.

 > 2. You haven't done a complete "walk thru" of your hard drive since

Sod that.

 > 3. You don't know what's on your hard drive

Who does (except Baho)? I have cpanel on a Linux box. There's a whole
stack of guff on the hard drive that means nothing to me.

 > 4. You ran your server without a firewall

Now that I don't do!

In any event. Worst case scenario, restore it then reload your backed up
files, easy peasy.

--
Charles Sweeney
<a style='text-decoration: underline;' href="http://CharlesSweeney.com" target="_blank">http://CharlesSweeney.com</a><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eeep! I was hacked 

On 2004-08-30, Charles Sweeney <me RemoveThis @charlessweeney.com> wrote:
 > Kenneth wrote:
 >
 > I can't do a full back up. Remote server. Wouldn't do that anyway, just
 > the non-standard files. The OS can always be restored.

Well, the problem with Linux is restoring the right kernel and other like
files, especially if you've been doing patches etc.

 >
 > Who does (except Baho)? I have cpanel on a Linux box. There's a whole
 > stack of guff on the hard drive that means nothing to me.

Looks like it's me and Baho then. I do keep a constant eye on my hard
drive a rootkit will do that....

But I like your optimistic outlook, it would make any French grandmother
happy <g>

ken<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eeep! I was hacked 

On 2004-08-31, Augustus <Imperial.Palace.DeleteThis@Rome.com> wrote:

  >> 4. You ran your server without a firewall
 >
 > Yeah that was a boo boo... the license on our firewall software expired and
 > I was trying some new stuff out. But the new firewall was blocking email
 > from the websites to the mail server and so I just turned the firewall off
 > until we got it resolved and wound up never getting back to it cuz the thing
 > seemed to be running smoothly without it.

LOL, yeah, I've made that mistake. Seems like all is well, I'll just
do it next week or the week after...but it's running so well, maybe next
month.

ken<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eeep! I was hacked 

Kenneth wrote:

 > On 2004-08-30, Charles Sweeney <me.DeleteThis@charlessweeney.com> wrote:
  >> Kenneth wrote:
  >>
  >> I can't do a full back up. Remote server. Wouldn't do that anyway,
  >> just the non-standard files. The OS can always be restored.
 >
 > Well, the problem with Linux is restoring the right kernel and other
 > like files, especially if you've been doing patches etc.

I have Linux with cpanel, so the latest versions for a restore are more
than good enough for my purposes.

  >> Who does (except Baho)? I have cpanel on a Linux box. There's a
  >> whole stack of guff on the hard drive that means nothing to me.
 >
 > Looks like it's me and Baho then. I do keep a constant eye on my hard
 > drive a rootkit will do that....

Heh, beg your pardon!

Ah, now checking for rootkits, you didn't mention that. I use chkrootkit
and Rootkit Hunter, daily by cron.

To be honest, I would like to take the Baho/Ken (and others!) approach.
Starting with a bare drive and installing everything manually, and only
that which is needed.

With cpanel, as I said, there is a huge lot of stuff. But it's a
time/motivation thing. If I was to do it, I would like to know it inside
out, which I aint gonna achieve in a few days!

 > But I like your optimistic outlook, it would make any French
 > grandmother happy <g>

That must be where your good nature comes from!

--
Charles Sweeney
<a style='text-decoration: underline;' href="http://CharlesSweeney.com" target="_blank">http://CharlesSweeney.com</a><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eeep! I was hacked 

On 2004-08-31, Charles Sweeney <me.RemoveThis@charlessweeney.com> wrote:
 >
 > Ah, now checking for rootkits, you didn't mention that. I use chkrootkit
 > and Rootkit Hunter, daily by cron.

I'll have to try rootkit hunter, chkrootkit missed it when I was hit.

 >
 > To be honest, I would like to take the Baho/Ken (and others!) approach.
 > Starting with a bare drive and installing everything manually, and only
 > that which is needed.

Time consuming and tedious, only for the anal minded.

 >
  >> But I like your optimistic outlook, it would make any French
  >> grandmother happy <g>
 >
 > That must be where your good nature comes from!
 >

Hmmm...(sniff, sniff, snnnnnifffff), yep, smells like sarcasm to me

ken<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eeep! I was hacked