The Look

I had an issue with my server this evening. Actually its been going on for a few days. There was a big surge in traffic, so I started investigating. Most of the traffic was email, I did some digging.

Found a rouge php file, its hashed so not exactly sure how it works, but simply it appeared to allow mail to be sent via a call to the rouge page. Quite clever really it show how increasingly intelligent these attacks have become. In the past it used to be script kiddies automatically scouring using penetration tools. Now they are targeting hole in exiting websites and injecting in rouge code.

I guess that a sysadmins life never gets any easier.

Rest my chemistry

I have worked on and looked after systems for over a decade, in that time I have seen many security breaches. They have ranged from serious taking out an entire school network for a couple of days, to defacement on a webpage. Each time different factors took their toll.

The most recent attack was against the lan party website. A vulnerability in the content management system E107 allowed an attacker to upload a script file to my site. A file "fwriteq.php" a modified version of a php example file. When a remote attack to request the page using a specific URL the page outputted a huge amount of junk traffic towards an IP address given in the request string.

The weird thing about it was that it created UDP datagrams. In response I cleaned up the site and altered the firewall to block outgoing traffic of type UDP on port 80 as this is invariably junk.

I went through the logs and found the command and control IP which were sending in the requests for traffic and then emailed the abuse contact. BT owned 2 of them and I received no response (another reason not to recommend them). One of them was a linode box, they replied and asked for more details which I sent on to them.

Home Brew Server

 
Bruce and I went to IFL to install a new server, we couldnt help but notice in the next rack was this creation. I have never seen anything quite like it before, it made us feel pretty professional!

Vhcs sucks

Spent the day playing with servers. For a long time I have wanted to move the websites I host to being more of a professional service. On the new server I installed vhcs. It was supposed to make it easier for users to control their sites but in fact its just been a royal pain in the arse from day one. Bruce (see his take here) and I struggled first to get it working at all then with each of the services offered. I finally gave up after finding a major and unfixed security hole advertised on their own forum. Complete with links to a page which automates the hack!

We spent the rest of the evening eating curry and moving to isp control. Its basically a web panel like vhcs but it looks a bit more secure and well maintained. We did finally manage to make a backup of the main webserver though which is a major goal it hasnt been done for months thanks to our lack of access and technical hitchs (like one time we went down to the colocation centre and couldnt get in as the key to the rack was missing.