[luau] VIDEL Server Back Online
Mark Kellman
mark_kellman at hotmail.com
Fri Apr 5 08:25:34 PST 2002
So, was this some April Fool's joke, or the real deal?
>From: "Warren Togami" <warren at togami.com>
>Reply-To: luau at videl.ics.hawaii.edu
>To: "LUAU" <luau at videl.ics.hawaii.edu>, <ics321 at videl.ics.hawaii.edu>,
><monmotha-discuss at videl.ics.hawaii.edu>,
><monmotha-devel at videl.ics.hawaii.edu>
>Subject: [luau] VIDEL Server Back Online
>Date: Fri, 5 Apr 2002 01:43:08 -1000
>
>My apologizes if you are receiving this message more than once. This is a
>broadcast to all mailing lists on videl.ics.hawaii.edu (and a cautious test
>to make sure our Mailman config is correct.)
>
>Here's the entire story about what happened. We were not hacked, and
>contrary to what I posted earlier we weren't having hardware problems.
>
>On Monday when we were informed by CERT that our server was attacking
>68.60.131.??? with "ROOTWAR.RPM rootkit". Immediately we searched Google
>and found nothing about that rootkit name. A reverse lookup revealed that
>the address was a Comcast cable modem user. Our anonymous FTP logs showed
>that exact IP address had downloaded Mandrake 8.2 ISO's using WSFTPLE
>(Windows FTP client) a few hours before the "attack" occured. We found
>this
>to be very suspicious, and after a thorough search of our server for over 2
>days of downtime analysis we found no signs of a security compromise. I've
>since come to the conclusion that this is some dumb ass Windows user
>running
>something like ZoneAlarm or BlackIce personal firewall, and the program
>freaked out when the reverse callback connection of the active FTP protocol
>was blocked by the stupid firewall. He might have cried wolf to CERT, or
>more likely it may have been an official looking forged warning from CERT
>meant to scare us.
>
>I didn't realize this until now, but the supposed CERT warning was sent to
>us on April 1st...
>
>Not wanting to take any risks, we went ahead and rebuilt the server anyway.
>Thanks to donations of a 60GB, 120GB hard drive and controller from George
>and Scott, it is now RAID 1 on the main system drives and another 120GB of
>storage for the FTP mirror. We also went ahead and used the "vserver"
>security package, isolating each service into a isolated partition. This
>should result in much greater security and flexibility, because even if
>root
>is cracked on an individual service there isn't much they can do to the
>machine and other services. You can read about the vserver project here
>http://www.solucorp.qc.ca
>
>I'm incredibly pissed that Ray and I wasted so much time in analysing and
>rebuilding the server due to what was almost certainly a false alarm, but
>in
>the end, I'm very happy that we learned about "vserver". I can highly
>recommend vserver for anyone that wants to increase their server security
>or
>wants an interesting virtualization/partitioning project.
>
>Anyway, the server is back up so the mailing lists, few web pages and FTP
>downloads are back. Mandrake is currently mirroring onto the server, and I
>will try to grab Red Hat, Debian and a few BSD ISO's over the course of the
>weekend.
>
>Linux FTP Downloads
>ftp://videl.ics.hawaii.edu
>MonMotha's IPTables Firewall
>http://monmotha.mplug.org
>Videl Mailing List Subscriptions
>http://videl.ics.hawaii.edu/mailman/listinfo
>
>Warren Togami
>warren at togami.com
>
>
>_______________________________________________
>LUAU mailing list
>LUAU at videl.ics.hawaii.edu
>http://videl.ics.hawaii.edu/mailman/listinfo/luau
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
More information about the LUAU
mailing list