Messages

So, it's certainly a long way to christmas or whatever, but I was just looking around online at various "toys" that I wish I could afford, and I'm curious as to what sorts of things the rest of you wish for. Let's ignore the semi-practical like "more ram" or "a more economical car" and stick with the really FUN stuff... but keep it possible. I want a MIG Fighter Jet too, but...

Here's a couple of mine...
http://www.wacom.com/lcdtablets/index.cfm
21" LCD tablet screen. Pressure, tilt, and rotation sensitive pen table, with 1600x1200 resolution. I'm not even a real artist and I want one of these!

Oh, and a 16.7 megapixel camera would be nice too...
http://consumer.usa.canon.com/ir/controller?act=ModelDetailAct&fcategoryid=139&modelid=10598

But I could "settle" for the Rebel XT
http://consumer.usa.canon.com/ir/controller?act=ModelDetailAct&fcategoryid=139&modelid=11154

That's what I'm implementing, but it requires features added to the kernel, which is the one, single thing in linux that ever requires a reboot.

Picture it this way, it's like reinstalling windows from 1000 miles away, with no monitor and no mouse. As such, I'm taking my time to make sure I do it right the first time, because once I reboot, if it doesn't come back up and let me log back in, then I have to nicely ask the people hosting it to go fix it. They of course, then ask me nicely to pay them good money for their time. :-)

Any chance that you could report this system trying to hack you?

I'm not sure if you caught everything I said, but it's being attacked by dozens of systems all over the world. This is a botnet... Most likely a bunch of infected machines whose owners have no idea what's going on. It'd be about as useful as trying to report every machine that ever sends you spam.

File permissions? If it's a php file it needs to be set securely. Read the "Help & Info" page section on file permissions.

Yeah, it's visible to me. Your browser just sucks at inline PNG or something?

PNG works fine...


See?

Computer's don't work that way... I wish they did sometimes though.

I'm not still getting "hacked" per-say, as there doesn't seem to be anyone who has access, but there are dozens of computers trying to login continually and trying all sorts of likely names and passwords. In other words, the barbarian hordes are at the gates and pounding against them repeatedly.

Here, take a look at a snippit of the log file.

Sep 11 18:16:10 [sshd] Invalid user gitane from 67.15.28.13
Sep 11 18:16:10 [sshd] Invalid user godeffroy from 67.15.28.13
Sep 11 18:16:10 [sshd] Invalid user gracien from 67.15.28.13
Sep 11 18:16:11 [sshd] Invalid user grant from 67.15.28.13
Sep 11 18:16:11 [sshd] Invalid user granville from 67.15.28.13
Sep 11 18:16:12 [sshd] Invalid user grazieele from 67.15.28.13
Sep 11 18:16:12 [sshd] Invalid user gregoire from 67.15.28.13
Sep 11 18:16:13 [sshd] Invalid user gr351gory from 67.15.28.13
Sep 11 18:16:13 [sshd] Invalid user gucci from 67.15.28.13
Sep 11 18:16:13 [sshd] Invalid user guerin from 67.15.28.13
Sep 11 18:16:14 [sshd] Invalid user guerinet from 67.15.28.13
Sep 11 18:16:14 [sshd] Invalid user guibert from 67.15.28.13
Sep 11 18:16:14 [sshd] Invalid user guilette from 67.15.28.13
Sep 11 18:16:15 [sshd] Invalid user guillaume from 67.15.28.13
Sep 11 18:16:15 [sshd] Invalid user guillemin from 67.15.28.13
Sep 11 18:16:16 [sshd] Invalid user guillemot from 67.15.28.13
Sep 11 18:16:16 [sshd] Invalid user guillot from 67.15.28.13
Sep 11 18:16:20 [sshd] Invalid user guimart from 67.15.28.13
Sep 11 18:16:20 [sshd] Invalid user guiot from 67.15.28.13
Sep 11 18:16:20 [sshd] Invalid user guiote from 67.15.28.13
Sep 11 18:16:21 [sshd] Invalid user gunter from 67.15.28.13
Sep 11 18:16:21 [sshd] Invalid user gustav from 67.15.28.13
Sep 11 18:16:22 [sshd] Invalid user guy from 67.15.28.13
Sep 11 18:16:22 [sshd] Invalid user gwendoline from 67.15.28.13
Sep 11 18:16:22 [sshd] Invalid user gwenna353lle from 67.15.28.13

And that's just in those 12 seconds!

Anyway, this sort of thing happens semi-regularly over the past few years. Usually they don't keep it up this long though. This has been pretty much steady for the past week. I'm working on getting a program installed that will watch for repeated attempts and then ban that IP address for an hour or so. Actually, I'm thinking I might not ban it, but use a nifty tarpit thing... The analogy would be that instead of just not answering the requests, or just hanging up on them, it'd put them on indefinite hold, until THEY hang up. It would tie up their system resources somewhat and slow down any attacks they're also running against other people. Problem is, I have to reboot the system to implement some of the kernel features needed for it, and that always makes me nervous.

For now, I just hope none of ya'll have easy to guess passwords!

Frack... there's still an entire botnet attacking the server. I'm starting to wonder if the reason this all looked so odd was that there's more than just one person/group trying to get in. Did I mention I hate people?

Lei if you mean you can read other people's stuff, that's normal. Most files are world readable by default, unless the owner changes the permissions. Now if you're not just talking about going up a few folders and looking at stuff, but something more hack-like in nature, then by all means, email me and explain.

And as for affected files, it should ONLY be files with "index" in the name.

Hmm... Thanks to Gwyn, (who's been checking a lot of the sites) some pages were still "hacked" and redirecting. Looking into I see that 343 files (out of over 5000 originally hacked) were unable to be restored, because they didn't exist (or were named differently) when the backup was made. I've simply removed all those files.

Trekkie... good suggestion about thinking like a hacker, but, no offense intended or taken, I AM a good hacker. I've done all I can do to think about how I would hack in, and then to prevent those methods. This particular machine (orca) has been running for 3 years straight, and as you can probably see, it runs a LOT of services, and a LOT of people have fairly open access to it. I see evidence of hacking attempts almost daily, but this is the first time anyone's compromised the system itself. Still though, I think three years is a pretty good record for security on a system that deals out 10,000,000 files a month. And I have had other people try and hack in, the only one who succeeded got as far as guessing a password on an email-only account I used, but couldn't get farther than that. Anyone else is welcome to try, of course. The more heads thinking at it the better. I ask only two things if you game to try though. First, let me know so I don't panic. And two, don't damage anything major in the process. If you want to put a "hahaha" on the main page or something well... fine, but don't go and crash the machine. :-)

Now, as for more regular backups... Not as easy as it sounds. I keep pretty regular backups of my stuff and the systems stuff, but the problem is there are hundreds of users here, and that backup takes hours to do. I don't have room to keep multiple backups either. So when I back up, it overwrites the old backup. That's fine if everything is good when you do it, but often users don't spot a hack or a corrupted file right away, sometimes it can be weeks until they do. If I backed up every day, then by the time they come to me and ask, the backup itself contains only the corrupted file.

As I'm sure you noticed, Xepher.net was down for the first half of Saturday. Someone hacked into the server, and replaced every single file with a name starting with "index" with redirects to a hacked forum in germany. I believe I found and fixed the bug they exploited to gain access (a very obscure heap overflow in the perl compatible regular expression library) but I'm not 100% positive that was how they did it. As such, I'm still a bit jumpy about bringing things back online. As such, PLEASE report anything suspicious to me as soon as you see it.

Now, the damage. As I said, they replaced all those files with redirects, completely destroying whatever info used to be in the file. I wrote a script that went and found all such files, then replaced them from the system backup. Problem is, the system backup is a couple months old, and therefore many websites are gonna be rather anachronistic. If you have local copies of your files, go and replace anything named "index" that might have been changed in the past couple months.

Also, I'm gonna be adding more layers of security to the system. I'll post notes on that as I go, but some of it will be stuff you need to know about. Most noteably, I'm going to install a system that watches for failed logins (bad passwords) and will completely ban an IP address if you get too many failures in a row. As such, if you forget/lose a password, do NOT just keep guessing, or you'll get completely blocked for at least an hour.

If anybody has some suggestions for security measures I could add, suggest them here.

Grrr... this whole thing makes me so angry. Today was a beautiful fall day, but instead of getting out and going fishing, I ended up spending the entire day digging through files and code. Completely ruined my Saturday just because some hackers got bored and wanted to show off.

I hate people.

Python... expensive? Whiskey Tango Foxtrot!?

http://www.python.org

It's completely free and open source.

You don't yet... They will go under the "applications" forum when it's open again though.

Two stage problem. One, I forgot a file when unlocking your account. I fixed that bit. Two... PHP files have to have proper permissions. Read the "Help & Info" page for details, or just use the "fix permissions" tool in account management.