Monday, July 30, 2007
Geeky Girl
I had a very geeky day. If you are not a geek, you'll likely think this is the most geeky post ever. However, I think the winner for geeky posts in the guy who regularly posts his del.ico.us list of guitar finger charts he finds on a website. Memo to self: Remove Del.ico.us guy from Google Reader.
Okay, so I'm being asked to take over administration of a new area at work. The area has been largely administered by graduate students, and while these folks are not untalented, network security for their servers (and whatever else) has been lacking.
I looked at the web server (Windows Server) last week, and found, among other things...an installation of Unreal Tournament 2004, a hacked FTP server, several shared directories (including the c: directory) and some indication that there were people hosting sites from the Netherlands at one point. Not good.
How can you clean a server in this state? You don't. You get a good backup and erase it. You start over. You do the security first and then get it working the way it was.
I started to get another server ready to take on the website in a semi-interim manner. I needed to get Apache installed, PHP installed, mysq1 installed, ssh working, samba up and running. Did I mention that the machine that had been hacked was a Windows Server 2003 and that I know next to nothing about it?
I threw Debian Linux stable on a new server, and got it ready to go.
So, that was Friday. Today I get in and not only is the webserver is a pretty bad way, but someone has now hacked phpMyAdmin to attack other machines. We have a incident response team that contacts you about these things, and they usually "blackhole" machines with this sort of problem. Basically, turn off their network port. Anyway, for some reason, they just told us about the problem and didn't blackhole it, so the web site was still running. For now....
Disclaimer: I think phpMyAdmin is the devil. When it was first shown to me, I said, "Gosh, that looks easy to hack." I was told that is possible to secure it, and we do have secured copies of it running on some of our servers, but I never bothered to learn exactly how. I do my mysql administration the old fashion way....from the command line. Yes, it's annoying sometimes, but I think I have a pretty good grasp of what has to happen there. Someday, I'll have to sit down and examine it...some of my more saavy users really want it.
Anyway, first chance I get, I go over and look at the phpMyAdmin folder on the webserver. 3AM on Saturday morning someone installed several php files and something called network.exe. Looking in the php files, I find little messages like "I hack you real good" and an allusion to a home directory in the C:\Recycler folder. I deleted these files after rendering them inert by renaming and changing the attribution and permissions.
Following the lead, I go to the C:\Recycler folder. I find there another folder with a list of computers that it is telling phpMyAdmin to attack to find vulnerabilites. So, it was using the server as a robot. I am showing one of the graduate students the traces left behind, then copying them to a secure place (in case they are important) and then deleting them. I believe we got most of it stamped out.
In the course of this, he askes why people do this sort of thing. It's a question I get a lot. Why do viruses exist? Why do people invent spyware? Why do people hack machines? I don't have answers other than...because they can. Because they have nothing better to do. Because they want to see what will happen. I don't have a psychological profile of these sort of people; I just know they cause havoc and make a lot of work for me.
I did a search for other files hacked around 3AM on Saturday. A lot of them came up; mostly log files. But there were others too, and it is difficult to know exactly what he did.
We changed the passwords, removed old users, and we removed the shares. But it was just a matter of time before it got hacked again; I could feel it.
I really needed to get the website to that new server. The website is database driven. I needed to get the pages over, and get the server backed up. On a Windows Server. Which I know very little about.
Poking around, I found the website. That was easy to copy over. Then it was time to get Apache pointing at the right place. Apache2, actually. If you really want to feel like a fully fledged geek, try out hacking conf files on different versions of Apache. It's like they felt the need to redesign it every version number.
Luckly, Debian is outstandingly easy to use for configuration of things like this, and the help instructions are really good.
So after a bit of fooling, Apache is pointing to the right place, the php5 stuff is installed, and the website is throwing errors because the mysql backend isn't working.
Go back to hacked server, do a mysqldump of the database. Transfer that to the new server.
Try to install mysql-server on the new server.
And it fails.
It's one thing to have something like this fail, but when you are SO CLOSE and you need something SO BAD, it's particularly annoying.
It's erroring out and the error is so cryptic. I google the error message and 18 different suggestions are offered. I try some. They don't work.
I leave work, go to the gym, come home, make dinner, and then sit down to work on it again. I study the cryptic error messages again. It says something about permissions, and when I dig a little deeper, I find it is looking for a group called adm. There is no group called adm. I create one.
I try the install again. IT WORKS!
Now, I'm dancing around my living room, and J thinks I am nuts.
IT WORKS! IT WORKS! IT WORKS!
Of course, I still need to see if this website will work with PHP5, and get the mysql dump back into the new database, and deal with permissions and granting on THAT, but ...
IT WORKS! IT WORKS! IT WORKS!
It's a small victory, but I live for small victories.
Okay, so I'm being asked to take over administration of a new area at work. The area has been largely administered by graduate students, and while these folks are not untalented, network security for their servers (and whatever else) has been lacking.
I looked at the web server (Windows Server) last week, and found, among other things...an installation of Unreal Tournament 2004, a hacked FTP server, several shared directories (including the c: directory) and some indication that there were people hosting sites from the Netherlands at one point. Not good.
How can you clean a server in this state? You don't. You get a good backup and erase it. You start over. You do the security first and then get it working the way it was.
I started to get another server ready to take on the website in a semi-interim manner. I needed to get Apache installed, PHP installed, mysq1 installed, ssh working, samba up and running. Did I mention that the machine that had been hacked was a Windows Server 2003 and that I know next to nothing about it?
I threw Debian Linux stable on a new server, and got it ready to go.
So, that was Friday. Today I get in and not only is the webserver is a pretty bad way, but someone has now hacked phpMyAdmin to attack other machines. We have a incident response team that contacts you about these things, and they usually "blackhole" machines with this sort of problem. Basically, turn off their network port. Anyway, for some reason, they just told us about the problem and didn't blackhole it, so the web site was still running. For now....
Disclaimer: I think phpMyAdmin is the devil. When it was first shown to me, I said, "Gosh, that looks easy to hack." I was told that is possible to secure it, and we do have secured copies of it running on some of our servers, but I never bothered to learn exactly how. I do my mysql administration the old fashion way....from the command line. Yes, it's annoying sometimes, but I think I have a pretty good grasp of what has to happen there. Someday, I'll have to sit down and examine it...some of my more saavy users really want it.
Anyway, first chance I get, I go over and look at the phpMyAdmin folder on the webserver. 3AM on Saturday morning someone installed several php files and something called network.exe. Looking in the php files, I find little messages like "I hack you real good" and an allusion to a home directory in the C:\Recycler folder. I deleted these files after rendering them inert by renaming and changing the attribution and permissions.
Following the lead, I go to the C:\Recycler folder. I find there another folder with a list of computers that it is telling phpMyAdmin to attack to find vulnerabilites. So, it was using the server as a robot. I am showing one of the graduate students the traces left behind, then copying them to a secure place (in case they are important) and then deleting them. I believe we got most of it stamped out.
In the course of this, he askes why people do this sort of thing. It's a question I get a lot. Why do viruses exist? Why do people invent spyware? Why do people hack machines? I don't have answers other than...because they can. Because they have nothing better to do. Because they want to see what will happen. I don't have a psychological profile of these sort of people; I just know they cause havoc and make a lot of work for me.
I did a search for other files hacked around 3AM on Saturday. A lot of them came up; mostly log files. But there were others too, and it is difficult to know exactly what he did.
We changed the passwords, removed old users, and we removed the shares. But it was just a matter of time before it got hacked again; I could feel it.
I really needed to get the website to that new server. The website is database driven. I needed to get the pages over, and get the server backed up. On a Windows Server. Which I know very little about.
Poking around, I found the website. That was easy to copy over. Then it was time to get Apache pointing at the right place. Apache2, actually. If you really want to feel like a fully fledged geek, try out hacking conf files on different versions of Apache. It's like they felt the need to redesign it every version number.
Luckly, Debian is outstandingly easy to use for configuration of things like this, and the help instructions are really good.
So after a bit of fooling, Apache is pointing to the right place, the php5 stuff is installed, and the website is throwing errors because the mysql backend isn't working.
Go back to hacked server, do a mysqldump of the database. Transfer that to the new server.
Try to install mysql-server on the new server.
And it fails.
It's one thing to have something like this fail, but when you are SO CLOSE and you need something SO BAD, it's particularly annoying.
It's erroring out and the error is so cryptic. I google the error message and 18 different suggestions are offered. I try some. They don't work.
I leave work, go to the gym, come home, make dinner, and then sit down to work on it again. I study the cryptic error messages again. It says something about permissions, and when I dig a little deeper, I find it is looking for a group called adm. There is no group called adm. I create one.
I try the install again. IT WORKS!
Now, I'm dancing around my living room, and J thinks I am nuts.
IT WORKS! IT WORKS! IT WORKS!
Of course, I still need to see if this website will work with PHP5, and get the mysql dump back into the new database, and deal with permissions and granting on THAT, but ...
IT WORKS! IT WORKS! IT WORKS!
It's a small victory, but I live for small victories.
Labels: computer, geeky, linux
¶ 9:30 PM
Comments:
Post a Comment
<< Home
<< Home
