Hack and slash
This new website has been online less than a week, before I noticed it had been “pwnd.” I say “noticed” because I’m pretty new to setting up web servers, and probably took too long to finish all the security measures, in my rush to get the whole thing on-line. As a consequence, I’ve had to do it all over again, with a fresh OS, one step at a time. I should have realised sooner that a hack attack was imminent.
Probing activityGentle port probing from all over the world. This is nothing compared to what I saw when I first noticed the hack attempts in progress!
As you might be able to see from this wireshark view of my tcpdump data, my machine is rejecting connection requests for ports 22 (SSH default) 23(telnet et al) and some others. Several ‘popular’ trojans use these ports as part of their operation, such as port 3128 . This in itself is pretty harmless, as there is nothing listening on those ports, but as you can see, someone, somewhere is trying it on. I could show some far more aggressive logs, but that would give a little too much information away, so I’m holding onto that for now.
My server IP address is not masked, simply because, this server is no longer active. I have a new one, using a firewall/proxy service to help filter out the idiots. I say idiots, because, they won’t win. If my machine gets taken over again, I’m not going to spend any more time on it – I will just destroy it and move to a managed host 🙂
The site was hosted on a VPS (Virtual Private Server) on a major platform, and was under constant attack from all over the world. I spotted it was responding very slowly, so I delved into the logs, and noticed thousands of break-in attempts, which were quickly overloading the machine.
Adding some firewall rules on the console allowed me to get in and stay in reliably via SSH, and see what was happening. I still have no idea who it was, where they are from, and how they did it, but they were using my machine (that I pay for!) as part of a so-called ‘zombie network’ to probe, attack and generally mess around with other peoples’ sites. I could see connections to all-sorts of other domains, from my machine, and this was nothing to do with me.
I developed a security strategy, tested it on the infected machine, then deployed the setup onto a fresh install. So far, it seems to be much quieter and more reliable all round. I’m not going to report here how it works, nor what tools I’ve used, for obvious reasons!
I may write up my experiences one day, in more detail, to show how much needed to be done, to keep these scum bags at bay.
Just remember, all you out there, sitting on a web server – You’re not safe. You’re not impervious. You’re probably already Pwnd. You just haven’t noticed yet.