They're not called rootkits for nothing!

[lordstorm.livejournal.com]

Cue this shift's stupidity:

- Cust: ZOMFG!!!111!!one!!1!1!eleventy-one!!1 My server is ruined! You host it, it's your fault!
- Me: Er, okay.....

Initial investigation shows both his (un-managed!) servers, co-lo'd in one of our many sites, have been exploited, to the point only a physical console of the machines were the only way in. A quick look around confirms the prognosis: the electronic equivalent of a messy anal rape.

- Me: Your boxen are hosed. I hope you took backups.
- Cust: ...backups??? *insert curious reaction to foreign, unknown word here*

Cue finger-pointing that server security is our fault, despite the fact the customer has no firewall and seems to have neglected setting up any filtering/ACLs on his servers. It took all of five minutes to demonstrate why he was so badly 0wnzed:

[lordstorm@nocjump] ~$ ssh root@you.deserve.to.be.exploited.you.stupid.twat.customer-id.isp.net
Password:

bash-2.05#

Oh look! You've even left ssh open to root-logins! As good as a neon sign advertising the back entrance!

Dipshit. Go away now, you hurt my brain.

Comments

[two-pi-r.livejournal.com]

You can ssh to a machine with AllowRoot set, as root. It just won't let you in no matter if you have the right password. So, ssh root@ isn't a valid test.

[lordstorm.livejournal.com]

True, but then that's probably due to my laziness typing the above: I had the root password, and it actually let me in. :)

Let me alter the post to better convey this!

[two-pi-r.livejournal.com]

Okay. Great. Thanks. :)

[delta_mike]

Indeed, that's true. It's a security feature; OpenSSH, at least, does its best to react identically regardless of whether the requested user actually exists or not.

We cheat; we don't _have_ a root password. (Kerberos: each admin has their own individual key, seperate from their main key)

Which does makes watching bad guys attempt to brute-force it funny.

(But only briefly; after a couple tries, the iptables RECENT match spots them and starts bouncing their connection attempts with icmp-admin-prohibited. Hah, die evil brute-force scum-sucking bots.)

[jecook]

+1.

In the oh, damn near 8 years I've been running sub-ether.net, I've been compromised ONCE, and it was from a shite password, which immediately got fixed, AND I got off my lazy ass and turned on the kernel's packet filter. (FreeBSD 4.5's packet filtering sucked when I originally looked at it, which was why I was pleasantly surprised when it took me all of ten minutes and a reboot to turn it on in the version currently running)

And yes, it *IS* fun to watch the bad guys hammer away on SSH, and get Der Boot from the iptables filter.

[canray.livejournal.com]

Ah! But does OpenSSH have a huge team of Marketing Professionals with perfect hair and fake smiles working at their Golf Course Offices?

No? Oh well...

[syberghost.livejournal.com]

Once upon a time when I was on the monitoring team, we were about to take over monitoring some projects for another admin group in the company. I was tasked with assessing their readiness for some of our tools, and needed root. I contacted one of their SAs and he told me they used rlogin, and had root set to trust their accounts. So, if I would just log into his account, I could get root.

So, cringing and vowing SSH would be the first thing we'd put on these boxes, I rlogined into his account. He started to tell me his password, but it wasn't necessary; his own .rhosts file had a + in it, and thus allowed ANYBODY in as him. And from there, to root on any of the servers his group administrated.

I hope they aren't reading this, 'cause they probably think the audit they got from the Information Security team shortly thereafter was a coincidence...

[jecook]

O.O

PLEASE tell me these machines had zero public 'net access.

[syberghost.livejournal.com]

These machines had zero public 'net access. :)

[wxgeek.livejournal.com]

omg wow.