Dudes,

I am really affraid.
30 hours ago I had 60mb DOS attack in my machine and RackShack just unplugged my RAQ.

I have more than 100 customer´s in this RAQ and my phone don´t stop to ring and ring.

Please anybody helpme !

I don´t know what to do now ! I am affraid :-(((

maxihost,
you need to dig through the logs or ask RS if they know what type of attack it was.

there are some measures to help with syn floods, but if they were just hammering your machine from random IPs there is little you can do ... RS would have to filter this traffic, which they will not do.

if you were hit by just a handful of source IPs, then a firewall could help.

We will have no issues with putting your server back online once your server has been wiped clean, this wasnt an issue of being hacked or being DoS'd, one of the users on your server, a long time user from the logs, decided to DoS out from your server but it also appears he took measures to compromise your server and we cannot place a compromised server back onto our network.

---ouch---:eek:

hope you have backups maxihost

Patrick,

I will install in the machine a hard FireWall system and I will delete all the users that have shell access on the system.

But, please can you take my server back ?

I have more than 100 customer´s and my phone doesn´t stop to ring.

Please help me.

Thanks.

argh man ...

that is the problem.

I don´t have backup of nothing in there.

it´s not possible to rackshack get the files in the servers, send to me and then they do the restore ?

but a better solution is to don´t restore, just back the server and I will install firewall and delete shell users.

oh god, how do I make money if I have this problem and other´s problem´s every time.

huck,

do you know any very GOOD program to firewall my server ?

And, you company do daily backups ?

Ok,

I got an answer from rackshack that they will mount a second drive for me and I will have one day to move the files from one HD to the new one.

Is any program or anything that I can use to move ALL the files, the system configuration, exactly the same things that I have in the other HD ?

Thanks for the answer.

Just my opinion mind you, but If I had a server that had been comprimised, all I'd dare to move would be the actual client files, meaning their images and related files. If you copy over the entire drive, how are you going to keep out the garbage that your malicious user left you?

You're going to have some work, that's for sure but I think you'd be far better off just grabbing the good, leaving the bad and set down and get cracking reconfiguring the new drive after the restore..

And, from your earlier message.. you don't have firewalling on there yet? Read up on ipchains if not and install it immediatly before anything else..

Shortness

I would use the raqbackup.sh method...works great. Just search these forums for "raqbackup.sh".

Webster, ain't he runnin a chance that he's going to "racbackup" his cracker in the process though? Unless they know where the stuff got left, he's likely to move it over to to the new disk.. which would suck!

Shorterronthecautiousside

To comprimise a server they have to gain root access and install back doors in system files. The raqbackup.sh only copies user directories and files and does not backup system files. So I would think he would be relatively safe to backup and restore the vsites and users. If RS knows the user that was doing the damage, then I would just delete the account.

I would spend a lot of time going through the user directories looking for anything suspicious files.

That or just pull out the machine gun and wax the dang thing...

Looking at Patrick's post, it would be hard to know what level this person had access to in the server.. If it were me, I'd be taking out the Uzzi and re-upping everything user related... Looks like Maxi doesn't have that option, so again, I'd be really selective if I were him.. tht's just me tho.. been hacked once, wiped clean and started over.. Now I sit here and watch /var/log/auth and just added three more to the ipchains for trying me on my ssh port.. or, rather, actually trying to log in on ssh...

Nothing better do to? Hey... let's go mess someone's life up!


Short:mad:

Have you added /var/log/auth to your logcheck? Makes life a little easier....

Also, you should change the port # SSH runs on and block 22 with IPChains. Then all the bad guys will think you don't have it open. I did it last week and now I don't see anybody knocking on my SSH door. Very cool...much less stressful.

where to set an alternative port for the SSH?? sounds like a good suggestion.. Mouse

/etc/ssh/sshd_config I *think* not sure what's a good port to set it at tho.. And Yes, I think I have /var/log/auth set to report in my logcheck.. tho I'd have to...err.. logcheck to see

Shortchecked
PS.. webster.. the two questions.. what is a good port (any old unused one? and what's the command to restart sshd??

I am guessing to do this i would have to temporarily enable Telnet to do this, else once i do the edits, the SSH wouldnt work any more,., or am i confused?? Mouse
well, yes Im confused, but I meant on this specific issue..

Ummm.. I think, just looking at it logically, if you were going to change ports, open up the port you want to run it on first.. then make the changes and restart sshd.. I'm pretty sure the connection you are already on will be good. I'd then open up another connection via that port.. or maybe do that before you restart sshd just to be sure.. Once you know you can connect via the new port, close the old one and that *should* do it..

I did the update at cobalt pkg site but now I'm remembering that there is something that should get done on the sshd_config file that ensures that it will not negotiate a version 1 conection.. and.. one of these days, I'll start logging what I do! Cause, I think whatever I was supposed to do, I already did.. but damned if I can remember! I know I was in the file, but what did I do doctor!!

I'm diggin Mouser, I'll see what I can find and post it up.. I think the restart sshd is about the same as httpd.conf only replacing the name.. .. Be back in a while.. I got my self worried now, seems we're in a bit of a snake pit these days round here!!

Which, unfortunately, is usually the case when a server farm is known for a bunch of unprotected boxes. I guess the only conselation is that we're like an old chevy with a really good alarm sitting in a lot with a bunch of porches with their windows rolled down ey!

Shortdiggin

That was about the scariest analogy I have ever heard or read shortone.. you need sleep I think... I'll wait till you get some sleep an read what you type in here to be sure you typed what ya wanted to, especially after seeing your comments earlier when you realised what you had typed the night before..
on an odd note, I may be picking up an Ensim box as well now.. along with my Raq4i... Mouse

Sleep!?? No way man... !! I'm goin in dood!! Cover my six!!!

Shortwired

Kay Mouser.. here's the gig... if you're using ttssh.. WRONG.. bad bad bad!! Just found out, it does NOT support version 2!! Dood.. we been hangin out there with holes in our armour!!

Went into sshd_config uncommented where it has version 1,2 and changed it to only version 2 (if you read this earlier... typo! had it as 1, it is 2)

Changed port to some ungodly weird one that did not seem to be in use.. restarted sshd by

/etc/rc.d/init.d/sshd restart

While still connected via my port 22 connection.. all is well..

I left out a step, I'd already opened up the port via my ipchains rules for the new port..

Tried to connect with ttssh and it gave me a do not understand version message.. downloaded putty..

http://www.chiark.greenend.org.uk/~sgtatha...t/x86/putty.exe

Opened it up, set it to the ip addy of the server, gave it the port and I'm dialed..

That's all there is to it dood..

Shortwireduptighterthanawelldiggersass!

This post has me a little concerned about security. I read the ipchains-HOW-TO. Unfortunately, it is diffcult to understand. Is there a down and dirty somewhere I can get to help?

Thanks,
David

http://forum.rackshack.net/showthread.php?...15&pagenumber=1

Second part is on the next page in that thread, just ammend the ssh installation instructions as in the thread above.. or I posted a more complete set of directions on the security section last night...

I don't know how to make it any more step-by-step and if this is the instruction set you're hanging on.. maybe get one of the guys who do this for a small fee here to install it for you?

You really should have at minimum, ipchains installed and properly configured..

The sample script that I put on the second page of the directions will work and get you tightened up.. If you change the config for ssh, then you'll just need to change the port from 22 on the rules set to whatever port you choose.

Many here will tell you to use the automated ipchains script generator.. For me, I can't figure it out but can make the ruleset that I posted work, so I'm manual. I locked myself out of the box first time I used it (automatic generator) and have not touched it again since..

Hope this helps
Shortness

Excellent post, The instructions are great. I will install IPchains and run putty with SSH for my command line stuff.

You guys are great.

Thanks
David

ouch ... backup backup backup ....

Wow! I make a post and go to bed...by the time I get up and check the forums...questions have been asked answered and others asked...you guys are intense...I love it!



Anyway, I believe you ment to say "...changed it to only version 2" instead of the above version 1. Correct? You don't want to run in version 1 but instead version 2.

Sounds like you guys have figured out how to change the port numbers based on ShortPsyco's post. That is exactly correct...or at least how I did it. I won't tell you what I used for my new SSH port, but it is above 5000. As for IPChains, I just chained my SSH rule from 22 to my new port.

Also, Shorty...Have you figured out how to do port forwarding to have a SSH connection to tunnel your FTP through? I have played with it a little but haven't spent much time to figure it out.

Originally posted by webbcite
Wow! I make a post and go to bed...by the time I get up and check the forums...questions have been asked answered and others asked...you guys are intense...I love it!

Sleep.. who needs sleep when there's Red Bull and Whoop Ass to be drunk!

Anyway, I believe you ment to say "...changed it to only version 2" instead of the above version 1. Correct? You don't want to run in version 1 but instead version 2.

Give you an idea of how sleepy I really am.. thought I corrected that typo before hitting send.. did it several times (the typo) but, yes, I meant protocol 2 not one.. protocol 1 is what we want to run from.

Sounds like you guys have figured out how to change the port numbers based on ShortPsyco's post. That is exactly correct...or at least how I did it. I won't tell you what I used for my new SSH port, but it is above 5000. As for IPChains, I just chained my SSH rule from 22 to my new port.

Yep, got that part dialed.. won't tell ya where I am either.. but might change it higher since that worked for ya up there.. might as well make em work for their whack at the port when their scanner does find it!

Also, Shorty...Have you figured out how to do port forwarding to have a SSH connection to tunnel your FTP through? I have played with it a little but haven't spent much time to figure it out.

Groan.. yer tryin to kill me here I'm a guy who loves a challenge, I've heard of this, in fact, the guy who wrote the chains rules for me was describing it but I think he decided to let me take baby steps. I'm not doing bad for a guy who 12 months ago had not touched command line since my DOS gaming days and had zero "ixperience" up to that time... but this tunneling thing is just slightly zipping over my head. Does sound good though!

Protocol 2 broke my WinSCP program which seems to want to go no higher than protocol 1.5, so I'll have to find another one for that purpose.. What does really intrigue me is SafeTP that I've read about. It's another FTP server that you install on the box, you turn off standard FTP and then any of your web clients only have to install a plug in for their normal FTP program (Like WSFTP) and it then will send encrypted and the server will not accept any connection that is not sent with a modified program..

No way we're gonna get the average user to go in via an SSHFTP session, and we gotta give em shell access to let them even to that. This SafeTP thing works freestanding.. Sounds pretty cool. It's on the archives of recent postings at cobalt list, I did not manage to save the message before my hotmail account filled up and I absentmindedly deleted it. So I gotta find it again. Right now, my only client that needs access outside of me (managed sites is what I do) uses Front Page to publish and I don't have FTP turned on at all...

Geez.. My roommate just woke up.. now I'm not gonna get any sleep for at least two hours.. (she's noisy, her dogs are even worse!)

zzzzzzzzzzz

Shortdozer

Good point about tunnelling...I was just thinking of using it for my POP3/SMTP connections as well.

I looked at WinSCP but like you said it requires you give the user SSH access which is against my policy. So that is out.

FrontPage doesnt' use FTP??? I am not familiar with FrontPage and that has always been the big problem for me in trying to go to a secure FTP process for my customers. I have always had to go to the lowest common denominator...which is usually FrontPage. You have FTP turned off and FP users can still upload their sites?

Here is the link to installing SafeTP:

http://list.cobalt.com/pipermail/cobalt-us...ril/040519.html

Looks like you have given me something to figure out this weekend...thanks a lot!

Just joking...get some sleep!

Yea, don't ask me how FP uploads, or mails for that matter. Took on a site for someone to host only and the lady doing it had it working, mailing from a form and all, without ftp on and for that matter, probably not knowing the path to sendmail.. so I'm not sure how FP works.. I've used an old FP editor for years for the grunt work of basic page layout but I've never turned on the server or uploaded with it..

So long as it worked for her it was fine with me. I don't like that it creates same name users for every account though.. webmaster and then a password.. takes half the safety margin out of it.. sort of ahh.. like admin for cobalts

Man.. someone made some coffee.. and it sure smells good..... grrrrrr.. Short needs some sleep but has so much to do!

Shortzzzzzzzzzz

You can always use scp (secure copy; part of SSH) instead of FTP. I believe the latest beta release of PuTTY supports this (I typically am copying from a machine running Unix which has the scp command).

OK ok, after reading all this now that Im home, guess ill go ahead and give it a whirl after i go through and check the rest of the threads and see if I can help anyone else do some damage first.. Mouse update to come..

kk, worked like a charm.. damn good advice, now to dump the old Port from the ipchains list.. Mouse

Still looking at getting file transfer more secure.. Finding that ssh will not differentiate between binary and asskey transfers.. So, from what I read on the putty site, if you use ssh to transfer files, you're stuck with binary.. Ok for most stuff but not if you need to upload a script..

Soo... looking into SafeTP... which *seems* like maybe a good option..

Will report...

ShortFTP

with some clients I find its best to sit there with a gun aimed at thier head while they.... oh, you mean to protect against someone reading the data stream.. heeheehee.. also looking for more info.. Mouse

Downloaded the local client. Tested it against their test FTP server.. Got it to work locally. Did not go to the next step to install on my server but did try to connect to my old standard ftp server..

Problems: The safeTP local client encrypts or does something strange with the data connection coming back from the server and I played hell getting a good connection without fiddling with my firewall here on my local machine. (Zone Alarm) Totally seamless if I have it off, or if I set the server ip on the local zone on my home firewall.. and then.. check WSFTP as allow server... And... In security settings on ZA, set to not block local servers... it all works.. Or if you make a passive connection to the server, it also seems to work ok..

Herein lies the rub.. One.. that's an awful lot of "and then's" to throw at users other than myself.. two... It is not so many "and then's" if passive is available on the server.. and here lies the rub.. I don't know beans about setting the darn ports on the server to allow passive (yea, I know, here we go again)

And... I'm not sure that doing that (allowing enough open ports) is as safe as not allowing it and only having port 21 open for inbound connections. As it is, with active FTP connections, you don't even need to have port 20 open because the connection is outbound from the server and not blocked by the ipchains..

It does work.. and if you were careful about how you set up your admin users email to have them as a non-privlidged email account and NO email account for the admin user.. Then you would only be sending passwords in the clear via non privlidged user email accounts and not site admins via ftp and email..

Is it worth it... (thinking) not sure. As of now, I uninstalled the local client so I could connect without all the hassles.. Will I go forth and figure it out.. dunno.. depends on if someone can tell me how to limit passive connections to only one port via the local machine. Which seems bent on picking anywhere between 1000 or so ports.. grrrr.. Never happy with all this password stuff. Wish there were an SSL enabled FTP client.. Or Or Or... I wish stupid hackers would all suffer retroactive birth control!

Shortfrustrated

and you worry about others getting Ulcers.. heeheeheehee

Yea.. between all this and my "almost" ex-wife... grrr.. don't get me started..........

Shortnothappy