http://forums.rackshack.net/showthread.php...?threadid=14452
Right I was not going to post about this due to the lack of respect it will get me but feck it, I might as well share this problem and get it off my mind incase it is of any use to others. After I read the link above posted this week I thought it may be a good idea.
Right I have a number of servers at EV1 3 in total and admin about 6, One of my servers was rooted last friday friday a non active one thank fcuk, by some script kiddie defacment group.
The box was setup as shown below
Ensim 3.1.1
Open ssh 3.4
2.4.18 kernel
Bastille/psad
CHKrootkit ran each week
SIM
The reason I didnt secure this box future was due to ensim risks, but now I have a test server and its trial and error. I have no idea how the group got into my box I take it that it was a random mass rootkit, the server was in a reboot loop after a restart and I could not get any information off it.
Now I have had my kernels re compiled / grsecurity, apache tweated ssh 3.5 installed, iptables + anti ddos
I have no idea why I was hacked the first time around I was following the guide lines.
Any one else have any problems?
I have a large collection of security/0day material which i get from on going research and honeynet projects I would also be very interested in sharing detailed security information with guru's on the site mail me thomasoconnor@mail.ie
I have taken it as a wake up call
(please do not take the next line up the wrong way, i am not taken a shot at any one just clearing a gray area which i fell into)
The UPDATE list posted on the forums is not enough to keep you remotly secure... I have gotten a wake up call god knows what would have happened if a live server would have got hit..
This was not a hacker of great knowlage it was a script kiddie from isreal who wanted to put his name on my servers sites.. the actually group have a home page hosted on a box on the EV1 network which i think is a joke too .. i reported it to ev1 then told me to mail abuse i did and yet the site is still up hosting various defacments and tutorials.
Regards
Full Version: Worth a look cause its dong my head in
looking at zone-h defacement mirrors lots of ensim servers have gotten hit
i miss spelled the topic and could not edit it any chance a mod will chance luck to look
Regards
Regards
QUOTE
Originally posted by Vline
i miss spelled the topic and could not edit it any chance a mod will chance luck to look
Regards
Done
i miss spelled the topic and could not edit it any chance a mod will chance luck to look
Regards
While you're at it . . . how about also changing 'dong' to 'doing' ? And if you want to get picky there's plenty more in the post itself! 
QUOTE
Originally posted by sisterscape
While you're at it . . . how about also changing 'dong' to 'doing' ? And if you want to get picky there's plenty more in the post itself! ;)
While you're at it . . . how about also changing 'dong' to 'doing' ? And if you want to get picky there's plenty more in the post itself! ;)
Your post was ever so helpfull you are a piller of the support forums, what would I ever do with out you.
Regards
QUOTE
The UPDATE list posted on the forums is not enough to keep you remotly secure...
Most likey you are refering to the Ensim Server CheckList ® posted by myself.
That list was not intended to be a one stop security hardening thread. Its was designed to help new users set up and secure their servers quickly without having to sift through 100's of different threads.
Server security doesnt stop at the end of that thread, and i have included a note at the top of that thread.... keeping up to date on patches and other updates will help you stay secure.. By using Telnet or FTP your basicly just giving a hacker an invitation to break into your server as your passwords are transmitted in clear text.. Also using poor passwords makes it easier to break in.. Im not saying you were unpatched or anything tho so dont take that the wrong way.....
QUOTE
Originally posted by Vline
Your post was ever so helpfull you are a piller of the support forums, what would I ever do with out you.
Regards
Your post was ever so helpfull you are a piller of the support forums, what would I ever do with out you.
Regards
You're right, I am not a PILLAR of the support forums. But be aware that lack of language skills could negatively impact communications with your clients, if there are any, and many other aspects of your life. Though from what I have observed on this and other forums, you have plenty of company in your cavalier approach to written communication.
I was actually trying to be HELPFUL though teasing you was probably not the best approach. Taking my observation to heart might just be to your advantage in the long run. But if discounting it with sarcasm makes you feel better, that's fine with me. At least I know how to read, write and spell, thank you.
QUOTE
Originally posted by sisterscape
You're right, I am not a [B]PILLAR of the support forums. But be aware that lack of language skills could negatively impact communications with your clients, if there are any, and many other aspects of your life. Though from what I have observed on this and other forums, you have plenty of company in your cavalier approach to written communication.
I was actually trying to be HELPFUL though teasing you was probably not the best approach. Taking my observation to heart might just be to your advantage in the long run. But if discounting it with sarcasm makes you feel better, that's fine with me. At least I know how to read, write and spell, thank you. [/B]
You're right, I am not a [B]PILLAR of the support forums. But be aware that lack of language skills could negatively impact communications with your clients, if there are any, and many other aspects of your life. Though from what I have observed on this and other forums, you have plenty of company in your cavalier approach to written communication.
I was actually trying to be HELPFUL though teasing you was probably not the best approach. Taking my observation to heart might just be to your advantage in the long run. But if discounting it with sarcasm makes you feel better, that's fine with me. At least I know how to read, write and spell, thank you.
[/B] thanks
Sisterscape post's have taken the thread off its path, has any one else run into any security problem's even with all ensim update's, patch's and service upgrade's that ensim allows?
I still use Ensim 3.0 with Bastille Linux and PSAD installed. I also use chkrootkit regularly. My box seems to be patched up well too. Although I get port scanned all the time just like everyone else, my box has never been compromised...knock on wood. Sometimes one may get unlucky even though one tries hard to implement good security.
A problem I find with the Ensim company is their lack of regular security update and patch releases.
A problem I find with the Ensim company is their lack of regular security update and patch releases.
QUOTE
Originally posted by Creator
Sometimes one may get unlucky even though one tries hard to implement good security.
Sometimes one may get unlucky even though one tries hard to implement good security.
Great Point Yeah thats how I fealt, I think it was the fact that I was kinda lazy and didnt really bother with the server that had the problem I said I would lock it down but I didnt go into any grave detail and left the kernel updated and apache as they came installed also bastille was a quick any easy step for me and somthing I didnt normally use, I am sticking to ip tables now and treating all my servers the same, one can not be lazy when it comes to security I have learned that hard way I would again have to be happy that this didnt happen on a server that was linked to any of my main ones. Grsecurity is really quite good for the kernel too and far more updated than openwall I am working on getting it installed on all my servers and learning how to use it myself. Also ipchaining on ssh2 is looking good very soon for me at this time.
QUOTE
[i]
A problem I find with the Ensim company is their lack of regular security update and patch releases. [/B]
A problem I find with the Ensim company is their lack of regular security update and patch releases. [/B]
I noticed this too, but then again I think we should use redhat.com for updates too.
Cheers Creator
QUOTE
I noticed this too, but then again I think we should use redhat.com for updates too
Many of us do. But of course, if not careful, you'll kill Ensim. I agree with Creator that Ensim should get their act together and be more timely about critical updates.
The guide lines are a bit blury on update's I only had a clients server last week that ensim would not update due to the ssh update to 3.4, I had to manually remove the rpm's and reinstall 3.1. It fealt kinda stupid.
QUOTE
Originally posted by Vline
The guide lines are a bit blury on update's I only had a clients server last week that ensim would not update due to the ssh update to 3.4, I had to manually remove the rpm's and reinstall 3.1. It fealt kinda stupid.
The guide lines are a bit blury on update's I only had a clients server last week that ensim would not update due to the ssh update to 3.4, I had to manually remove the rpm's and reinstall 3.1. It fealt kinda stupid.
this has happened to me as well. :-( Script kiddie defacement.. :-(
I thought I had server pretty well protected.. How to protect ensim server better? is there some unknown flaw in Ensim ?
QUOTE
This was not a hacker of great knowlage it was a script kiddie from isreal who wanted to put his name on my servers sites.. the actually group have a home page hosted on a box on the EV1 network which i think is a joke too .. i reported it to ev1 then told me to mail abuse i did and yet the site is still up hosting various defacments and tutorials.
What is the URL to this site?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.