Quote:
Quote:
Quote:
Quote:
Quote:
That reminds me: the firm that handled your security, did they deliver a report with changes made? Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
I called and email (to the right place I guess): "Per our phone discussion the we will be taking the following actions to resolve this issue with you: 1) thoroughly scanning the current system to reveal any possibly remaining issues with the accounts as restored 2) re-reviewing the previous server image to determine if there is any useful data about the attack that might have been missed 3) Ensuring all related issues in the follow up are handled by an upper tier security administrator 4) following up with the related employees to ensure they are aware of the mistakes in procedure made 5) issuing a general reminder about escalation procedures with respect to server-wide compromises" Quote:
Quote:
|
Quote:
This follows with the more generalized approach of not putting administrative interfaces on your public network. Instead you privatize them and make the user authenticate against the machine with a secure connection like SSH and then access these applications over that secured tunnel. You configure Apache such that if someone tries to access them, they get a forbidden error or a better yet a not found. |
Quote:
2) This depends on how much you trust them. If you do then you could say they got your data in custody but if you don't then you could say they hold your data hostage. Similarly if they're going in with forensic procedures in mind then all good. (But then you'd expect a report, right?) If they don't, or want to cover things up, this is a fine opportunity to trample things good. 3) So what does that say quality-wise for "lower tier"?.. 4) Interesting. Is "server-wide compromises" your or their choice of words? Because if it is theirs then "server-wide" may have a different meaning. I mean opposed to "this paying customers VPS only". Anyway, good to see you haven't lost your sense of humor. |
Quote:
Code:
[root@jay bin]# ls I did get some output on the scan of the now functioning VPS. And have fixed or removed the problems. As of now they are still "scanning" the infected image "We will let you know when the scan has finished." (Date: Jul 09, 2011 Time: 02:43 PM CST) its a long scan apparently 3) Not much at all. 4) I pasted exactly what they said. And that's just a scary to comment. Noway2: I did have my cert file in postfix already and it turns out I didn't check the tls box in my client duh' Also I have blocked access to the control panel via allowed IP. Your right I don't want it public just me and my clients. |
Quote:
Your server has been compromised. The two primary theories following an impartial investigation suggest that they were either involved in the event or their negligence contributed to a situation that allowed it to happen. I would certain demand a more detailed explanation than a virus scan. As far as that list of files you posted above I assume that is the list of 'tools' that they put on? Most of those are not standard Linux binaries so they would have to be custom tools. One of them, EC, could be the openSSL component, in which case I wonder what they would be using it for. I don't fully understand the man pages for it, but I see that it is related to key-pair generation. Other files names sound suspicious or ominous, like ipscan and isnulled. The "server wide" compromise is an interesting choice of term that they used and it makes me wonder if this problem isn't bigger than just your system? Of course they would never admit to it, if it were. |
I agree I feel a bit insulted "it is not available for public use." was the words used. As if I'm the "public" and they are some government. Obviously they aren't open source advocates. And yes I am fully aware of clam's purpose, on the other hand if one of my clients had they're windows box blaséd and obtained a ftp password or other access this way could be another entry point.
Quote:
Quote:
Code:
print "[=D] Scanning logs for $ip...\n"; Quote:
|
Quote:
Quote:
Quote:
|
I'm also certainly no lawyer. However, if you're located in the US, you are often legally obligated to inform data owners if it's believed their personal information has been compromised. Breach Notification Laws. Other countries may have similar laws, so you will probably want to make sure you're in compliance.
|
OlRoy: Thanks for that. I have written all my clients days ago explaining not only the migration but the possibility of data being stolen.
Quote:
My response to their post, "The scan of the backup is complete and nothing was found".... was, "I would love a more detailed explanation than a virus scan (which btw seems like a windows response). Though I do understand this could be a potential entry point from an infected windows. What else was done to investigate? Is the investigation over now? I would like to add #6 "a final report on what was done with results." I got back earlier today: Quote:
But how they got the password is still a mystery. I guess I'm back to the theory either leak at my provider or someone with access sniffing out setup emails in the route between myProvider > old server (my mailbox at the time [both softlayer]) > me or me > comcast:smtp > google:smtp ([emailed pass to partner] though this seems unlikely). To bad email headers don't let you know if ssl was used. |
I'm thinking I can mark this solved!
OK even further findings: Code:
110701 01:51:22 mysqld_safe A mysqld process already exists So I can't nail proof exactly by presenting logs, but the series of events on the server and the ticket system lead to me to 99% sure this is how they got on. (same time frame) I remember launching mysql client as root and was not prompted for a pass. I didn't think much at first because I usually have a .my.cnf file in ~ with login info so I don't have to type. But this was a brand new server so I hadn't setup my aliases and dot files yet. I had this gut feeling something was wrong. Lesson: Always follow your instincts. So I'll stop trying to blame myself. The admin at my provider should have told me what he was doing and more so should have restarted mysql normally after changing the pass! |
Well done, Sherlock! ;-p
|
My provider has just updated the ticket with a job offer! I'm feeling pretty good today.
|
Thats great! Funny how things work out sometimes and how sometimes things happen for reasons we can't see at the time.
|
All times are GMT -5. The time now is 08:21 AM. |