On Fri, Jan 7, 2011 at 5:08 PM, Georg Ragaller <[email protected]> wrote: > If it was this http://www.kb.cert.org/vuls/id/682457 exploit, then almost > everything could have happened I guess.
Yes, this is most likely what happened according to our expert. It also seems to have been a scripted attack, and likely that there were bugs in the script, since one of the 'hard to understand why' things that actually was done, was to create an empty menu.lst for GRUB, which makes the system not bootable. Additionally, the datacenter operators concluded that the motherboard was fried, and had that changed, so my guess is that the attacker was out to make physical damage more than software damage. Possibly manipulating flash memory on the mother board. As for passwords; SiteVision is totally unaffected AFAIK, since it is not running on the system at all. JIRA uses Crowd which uses OpenLDAP, which I think uses some SHA salted passwords. Need to check details. Those of you who have an account on the machine; That is standard linux /etc/shadow, and I don't know what it uses. No attempt at covering up activity was done either, as login records seems untouched and matching date/time evidence of file changes in Grub as well. So, although one shouldn't be too confident about security matters, I doubt that anything was actually compromised (other than the hardware itself). Cheers -- Niclas Hedhman, Software Developer http://www.qi4j.org - New Energy for Java I live here; http://tinyurl.com/3xugrbk I work here; http://tinyurl.com/24svnvk I relax here; http://tinyurl.com/2cgsug _______________________________________________ qi4j-dev mailing list [email protected] http://lists.ops4j.org/mailman/listinfo/qi4j-dev
