I really should take lessons from chrish, because I suck ass trying to be the sys admin my sites. Got a little story for all you like me, wanna-be admins putting up your first apache server to show your friends and family pictures of your kids, pets, or bare body parts:
I used to get hacked once every three months, like clockwork. I’d be sitting at my desk late at night, enjoying an adult beverage and all the sudden my router would light up like a christmas tree. The load on my cpu would spike and the fans would fire up to cool the system down.
Being the sophisticated admin, I yanked the ethernet cord and tried doing an autopsy. Twice, I found nothing other than a couple new users created. Once I found a 1.4 gig flat text file with IP addresses and SMB user name/password combos some automated script kiddie tool that someone was running on my machine was generating.
Only once did a hack do any damage. I was testing some YDL stuff with Mr. Owen, and I lost use of the basic ‘ls’, ‘grep’, ‘ps’, etc commands. With his help, found out some dude/script exploited a hole I created and replaced all the commands with hacked equivalents. The funny part, the hacked commands were x86 binaries! (they don’t run well on a PPC machine)
Ok, so back to the every three month thing. Turns out during an argument with Kai (our CEO) over passwords, someone brought up Jack the Ripper complete with a table of password complexity vs. hack time. Yep, my passwords took ~3 months to brute force. Now my passwords are 20+ character phrases, convoluted to use a little bit of the entire ASCII set. I still don’t dig on random passwords, but am all for complex ones.
So now all my hacks are from exploits that I either created or didn’t keep some service updated. But I’m getting better. Since I think I’ve been hit again, found a cool little posting that is good quick overview of a forensic deconstruction. Enjoy: