"Ben Koshy" <[EMAIL PROTECTED]> wrote: > I had this group called "Acid Fallz" hack 2 of my servers over the last > few months...
Ben, I think it's AcidFalz. I wasn't familiar with them so I did some quick research. See the following for other sites they've defaced and relevant info: http://defaced.alldas.de/?attacker=ACIDFALZ http://defaced.alldas.org/?attacker=ACIDFALZ http://defaced.alldas.org/?attacker=ACIDFALZ&x=stats > they are based out of Russian and claim to only do > defacements to prove security vunrenbilities... anyway, both servers had > all patches applied from Cobalt. A patched Cobalt server is still an insecure server. Do you have an intrusion detection system, software/hardware firewall, portscan detector, log scanner, rootkit detector and unnecessary services shutdown for starters? Users with shell access? Telnet disabled? Enforce strong passwords or at least check for weak passwords? A security solution can have a lot more to it than that, but if you don't have a good basic security solution your server is extremely vulnerable. > All that was done was the index.htm > page was replaced with the hacked version and the old page moved to a > backup file. How do you know that's all that was done? Because they said so? Because everything else seems to work and no one is complaining that your boxes are being used in a suspicious way? Did you check for rootkits, loadable kernel modules and compare file checksums, sizes, dates, etc. with known good copies using something like fcheck or tripwire? If not, don't be so sure that was all the hacker did. > A couple months back they did this to one of our RAQ4s, > and then yesterday to a RAQ3. > > Any idea what hack this could be? I'm at a loss... Impossible to say. Also, be aware that even if you have the latest Cobalt patches applied and a good security solution in place you still need to keep on top of the latest vulnerabilities. For example, in the last three weeks vulnerabilities were announced in PHP, SSH and zlib among others. Cobalt employees released unofficial, unsupported PKGs a few days later for PHP and SSH, but the zlib library is used by *many* programs, at least a few of which you are likely running. Cobalt has not yet released upgrades of all of their programs that use zlib and neither have the developers of several programs which I have investigated that rely on zlib. The point is that security is an ongoing responsibility and doing it right requires expertise. If you have copies of logs, bash history files or better yet a copy of the hard drives from one of the servers which was hacked me or some other list members can probably help you figure out how access was gained. But if you don't have a good security solution and unlimited time, you may be better served on designing and implementing a good security solution. My 2 cents. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
