Well, yesiree-bob, I got intruded upon this weekend. Not in a physical way mind-you, but in a digital way. I awoke Saturday morning (around 10:30 AM or so), having the night before hosted a rompin’ good night of Winter Feasting and Pokering, to Geoff calling to tell me A) that he was sorry to have missed the Winter Feast and B) that the server was down, and that both of these things made him sad.
Needless to say, I was pretty bummed out. Since I started leasing that server back in August 2003, there hadn’t been a single minute of down-time for the server! I logged onto my hosting company’s website (EV1Servers.net) to see what was up. I soon noticed that a trouble-ticket had been opened up due to “Acceptible Use Policy Violations”. Further, it gave me the indication that my box had been cracked (not hacked). AKA intruded, transgressed, violated. This happened at 4:20 in the AM, and at 4:38, EV1Servers had — quite literally — pulled the plug on the server. I needed to contact them to get them to start investigating what was up. Unfortunately, the Abuse Department can only be contacted via email, and when I pressed the Customer Support lady about me phoning them (“You are telling me they have no phones at all?”) she replied “Yes, the have no phones.”. A pretty blantant lie, I’m thinking, but nonetheless they had started their quick investigation about 12:30 or so, and had brought my server back up to me around the same time. They amended the trouble ticket to say that they had found some suspicious files consistent with an exploit of a webserver/scripting bug and that I should start the cleanup immediately.
Turns out it was a cracker with an IP address from somewhere in Brazil, and the target of the denial-of-service attack they mounted was also in Brazil. I’ll save you the gory details, but there were a couple of bugs (aka “vulnerabilities”) that were exploited to allow very limited but annoying access to the webserver. I host a server with a number of websites on it, and I can’t keep tabs on every piece of software (like webmail, galleries, bulletin boards) at all times. The best I can do is keep server-wide security as tight as possible. A big “oops” on my part, but I thought I was safe. After ensuring that the crackers hadn’t destroyed any data or left behind any “backdoors”, I brought the webserver and databases and everything save for the email system back up around 2:00 PM or so.
While I managed to plug the hole in the webserver that the crackers had made, I found there was another hell-of-annoying thing that had happened — the crackers had flooded my box with all sorts of SPAM email. I had to meticulously weed out those SPAM from legitimate emails and clean up the mail queue. I think that very few SPAM emails escaped my box. This was the biggest pain in the ass, and much to both mine and Kelly’s chagrin, it took me until damn near 5 o’clock to bring the mail subsystem back on-line.
Last night (Sunday) I spent most of it on the couch fortifying my server with firewalls, intrusion-detection software, and a number of other little tricks to help me fend off those pain in the ass crackers.
I realize most of this won’t make a lick of sense to most of you, but I thought it might be interesting to hear about the saucy underside of this thing we know as the intarweb. If you are really interested in knowing more specifically about what happened, feel free to contact me.
4 Comments
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
Ben,
Thanks for the hard work getting everything back online. Also, thanks for having us over on Friday. It was a wonderful feast indeed. Oh, and The Office was just as good (if not better) than I expected. Thanks for that as well.
Thanks,
Jackson
yea, i don’t know what any of that means, but thanks for fixing the problem and in such a timely matter…thanks again–katy
when i upgrade squirrelmail and then lose your email address books? i seem to enjoy doing that.
you always lose my address book, so i am used to that…but you always fix it….