icculus.org
[svn]
-
[hg]
-
[git]
-
[bugzilla]
-
[ssl]
-
[mail]
News archive: (submit news)
The short form of the story is "we got hacked".
This wasn't targetted at icculus.org, it just happened to hit us in a sweep of IP blocks. The guy had root access, and didn't touch any passwords or change any binaries. He overwrote all the HTML files in the filesystem with a "shout out to my homies!" webpage, and ran "rm -rf" on anything called "log".
The good news is all the HTML files were sitting on a backup from a few hours earlier, and all the log files were recoverable (we move the apache logs to a different location once an hour, and he didn't kill any processes...Linux doesn't actually delete a file until everything that has it opened closes it or dies, so we copied everything before restarting the server).
He also nuked anything called ".bash_history", but didn't realize that bash writes out your command history from RAM when you log out, so basically, he left us a list of exactly what he touched.
In short, we got lucky for several reasons:
In closing the holes (PLURAL!), we upgraded the kernel to remove the root exploit (which was frighteningly effective before upgrading), and updated Apache and PHP...we also turned off PHP's "register_globals" flag, so some web things on i.o might be broken right now. I've fixed several scripts to respect the new settings today, but if you find something working strangely, please let me know.
Fun stuff.
--icculus.
[ email newsmaster | get news rdf ]