[luau] VIDEL Server Back Online
al plant
webmaster at hawaiidakine.com
Fri Apr 5 11:22:08 PST 2002
Warren Togami wrote:
>
> My apologizes if you are receiving this message more than once. This is a
> broadcast to all mailing lists on videl.ics.hawaii.edu (and a cautious test
> to make sure our Mailman config is correct.)
>
> Here's the entire story about what happened. We were not hacked, and
> contrary to what I posted earlier we weren't having hardware problems.
>
> On Monday when we were informed by CERT that our server was attacking
> 68.60.131.??? with "ROOTWAR.RPM rootkit". Immediately we searched Google
> and found nothing about that rootkit name. A reverse lookup revealed that
> the address was a Comcast cable modem user. Our anonymous FTP logs showed
> that exact IP address had downloaded Mandrake 8.2 ISO's using WSFTPLE
> (Windows FTP client) a few hours before the "attack" occured. We found this
> to be very suspicious, and after a thorough search of our server for over 2
> days of downtime analysis we found no signs of a security compromise. I've
> since come to the conclusion that this is some dumb ass Windows user running
> something like ZoneAlarm or BlackIce personal firewall, and the program
> freaked out when the reverse callback connection of the active FTP protocol
> was blocked by the stupid firewall. He might have cried wolf to CERT, or
> more likely it may have been an official looking forged warning from CERT
> meant to scare us.
>
> I didn't realize this until now, but the supposed CERT warning was sent to
> us on April 1st...
>
> Not wanting to take any risks, we went ahead and rebuilt the server anyway.
> Thanks to donations of a 60GB, 120GB hard drive and controller from George
> and Scott, it is now RAID 1 on the main system drives and another 120GB of
> storage for the FTP mirror. We also went ahead and used the "vserver"
> security package, isolating each service into a isolated partition. This
> should result in much greater security and flexibility, because even if root
> is cracked on an individual service there isn't much they can do to the
> machine and other services. You can read about the vserver project here
> http://www.solucorp.qc.ca
>
> I'm incredibly pissed that Ray and I wasted so much time in analysing and
> rebuilding the server due to what was almost certainly a false alarm, but in
> the end, I'm very happy that we learned about "vserver". I can highly
> recommend vserver for anyone that wants to increase their server security or
> wants an interesting virtualization/partitioning project.
>
> Anyway, the server is back up so the mailing lists, few web pages and FTP
> downloads are back. Mandrake is currently mirroring onto the server, and I
> will try to grab Red Hat, Debian and a few BSD ISO's over the course of the
> weekend.
>
> Linux FTP Downloads
> ftp://videl.ics.hawaii.edu
> MonMotha's IPTables Firewall
> http://monmotha.mplug.org
> Videl Mailing List Subscriptions
> http://videl.ics.hawaii.edu/mailman/listinfo
>
> Warren Togami
> warren at togami.com
>
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
###################
Good Work Guys!
"Out of adversity comes strength."
Aloha! Al Plant -Webmaster http://hawaiidakine.com
Providing FAST DSL Service for $28.80/mo. Member Small
Business Hawaii.
Running Caldera Linux 2.4 & FreeBSD 4.4 UNIX
Support Open Source in Business and Computing. Phone
808-622-0043
More information about the LUAU
mailing list