[luau] VIDEL Server Back Online

beesond001 at hawaii.rr.com beesond001 at hawaii.rr.com
Fri Apr 5 15:14:29 PST 2002 

Warren and Ray,

	You are both "the man!"  

Ben 

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 4/5/02, 1:43:08 AM, "Warren Togami" <warren at togami.com> wrote regarding 
[luau] VIDEL Server Back Online:


> My apologizes if you are receiving this message more than once.  This is 
a
> broadcast to all mailing lists on videl.ics.hawaii.edu (and a cautious 
test
> to make sure our Mailman config is correct.)

> Here's the entire story about what happened.  We were not hacked, and
> contrary to what I posted earlier we weren't having hardware problems.

> On Monday when we were informed by CERT that our server was attacking
> 68.60.131.??? with "ROOTWAR.RPM rootkit".  Immediately we searched Google
> and found nothing about that rootkit name.  A reverse lookup revealed 
that
> the address was a Comcast cable modem user.  Our anonymous FTP logs 
showed
> that exact IP address had downloaded Mandrake 8.2 ISO's using WSFTPLE
> (Windows FTP client) a few hours before the "attack" occured.  We found 
this
> to be very suspicious, and after a thorough search of our server for over 
2
> days of downtime analysis we found no signs of a security compromise.  
I've
> since come to the conclusion that this is some dumb ass Windows user 
running
> something like ZoneAlarm or BlackIce personal firewall, and the program
> freaked out when the reverse callback connection of the active FTP 
protocol
> was blocked by the stupid firewall.  He might have cried wolf to CERT, or
> more likely it may have been an official looking forged warning from CERT
> meant to scare us.

> I didn't realize this until now, but the supposed CERT warning was sent 
to
> us on April 1st...

> Not wanting to take any risks, we went ahead and rebuilt the server 
anyway.
> Thanks to donations of a 60GB, 120GB hard drive and controller from 
George
> and Scott, it is now RAID 1 on the main system drives and another 120GB 
of
> storage for the FTP mirror.  We also went ahead and used the "vserver"
> security package, isolating each service into a isolated partition.  This
> should result in much greater security and flexibility, because even if 
root
> is cracked on an individual service there isn't much they can do to the
> machine and other services.  You can read about the vserver project here
> http://www.solucorp.qc.ca

> I'm incredibly pissed that Ray and I wasted so much time in analysing and
> rebuilding the server due to what was almost certainly a false alarm, but 
in
> the end, I'm very happy that we learned about "vserver".  I can highly
> recommend vserver for anyone that wants to increase their server security 
or
> wants an interesting virtualization/partitioning project.

> Anyway, the server is back up so the mailing lists, few web pages and FTP
> downloads are back.  Mandrake is currently mirroring onto the server, and 
I
> will try to grab Red Hat, Debian and a few BSD ISO's over the course of 
the
> weekend.

> Linux FTP Downloads
> ftp://videl.ics.hawaii.edu
> MonMotha's IPTables Firewall
> http://monmotha.mplug.org
> Videl Mailing List Subscriptions
> http://videl.ics.hawaii.edu/mailman/listinfo

> Warren Togami
> warren at togami.com


> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau

More information about the LUAU mailing list