[luau] VIDEL Server Back Online
beesond001 at hawaii.rr.com
beesond001 at hawaii.rr.com
Fri Apr 5 15:14:29 PST 2002
Warren and Ray,
You are both "the man!"
Ben
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 4/5/02, 1:43:08 AM, "Warren Togami" <warren at togami.com> wrote regarding
[luau] VIDEL Server Back Online:
> My apologizes if you are receiving this message more than once. This is
a
> broadcast to all mailing lists on videl.ics.hawaii.edu (and a cautious
test
> to make sure our Mailman config is correct.)
> Here's the entire story about what happened. We were not hacked, and
> contrary to what I posted earlier we weren't having hardware problems.
> On Monday when we were informed by CERT that our server was attacking
> 68.60.131.??? with "ROOTWAR.RPM rootkit". Immediately we searched Google
> and found nothing about that rootkit name. A reverse lookup revealed
that
> the address was a Comcast cable modem user. Our anonymous FTP logs
showed
> that exact IP address had downloaded Mandrake 8.2 ISO's using WSFTPLE
> (Windows FTP client) a few hours before the "attack" occured. We found
this
> to be very suspicious, and after a thorough search of our server for over
2
> days of downtime analysis we found no signs of a security compromise.
I've
> since come to the conclusion that this is some dumb ass Windows user
running
> something like ZoneAlarm or BlackIce personal firewall, and the program
> freaked out when the reverse callback connection of the active FTP
protocol
> was blocked by the stupid firewall. He might have cried wolf to CERT, or
> more likely it may have been an official looking forged warning from CERT
> meant to scare us.
> I didn't realize this until now, but the supposed CERT warning was sent
to
> us on April 1st...
> Not wanting to take any risks, we went ahead and rebuilt the server
anyway.
> Thanks to donations of a 60GB, 120GB hard drive and controller from
George
> and Scott, it is now RAID 1 on the main system drives and another 120GB
of
> storage for the FTP mirror. We also went ahead and used the "vserver"
> security package, isolating each service into a isolated partition. This
> should result in much greater security and flexibility, because even if
root
> is cracked on an individual service there isn't much they can do to the
> machine and other services. You can read about the vserver project here
> http://www.solucorp.qc.ca
> I'm incredibly pissed that Ray and I wasted so much time in analysing and
> rebuilding the server due to what was almost certainly a false alarm, but
in
> the end, I'm very happy that we learned about "vserver". I can highly
> recommend vserver for anyone that wants to increase their server security
or
> wants an interesting virtualization/partitioning project.
> Anyway, the server is back up so the mailing lists, few web pages and FTP
> downloads are back. Mandrake is currently mirroring onto the server, and
I
> will try to grab Red Hat, Debian and a few BSD ISO's over the course of
the
> weekend.
> Linux FTP Downloads
> ftp://videl.ics.hawaii.edu
> MonMotha's IPTables Firewall
> http://monmotha.mplug.org
> Videl Mailing List Subscriptions
> http://videl.ics.hawaii.edu/mailman/listinfo
> Warren Togami
> warren at togami.com
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
More information about the LUAU
mailing list