2006-09-05 20:07:55.581137+00 by Dan Lyke 12 comments
Something took down my server this morning. I've been through the logs and don't find any obvious suspects (although someone was trying to brute force passwords a few days ago), but I see that a lot of other people seem to have been having issues this morning. Was there some monster spam assault or something?
[ related topics: Spam Monty Python ]
comments in ascending chronological order (reverse):
#Comment Re: made: 2006-09-05 20:27:52.721584+00 by: spc476
Maybe. I know we're collateral damage to a joe job. And I see brute force password attempts all the time so that's nothing new.
#Comment Re: made: 2006-09-05 21:43:52.477298+00 by: meuon
Coincidence? I got nailed this morning by a brute force lucky guess at an ftp capable login/password, they uploaded a simple php script to a website, that let them upload others and run them (as the webserver) that dumped a LOT of ebay scam e-mails on the server. It looked semi-automated, with them finding the login/password and testing it on the 3rd. uploading the files on the 4th, and initiating the e-mails on the 5th. All from various IP's, including some Amsterdam ones (that's new to me).
I'd completely turn off FTP but I'm using it for some automated batch uploads...
#Comment Nothing here made: 2006-09-05 22:10:23.317311+00 by: td [edit history]
Nothing like that at iq0.com. It crashed because I fumble-fingeredly typed 'kill 1 -113' instead of 'kill -1 113' while tinkering some DNS stuff this morning before my caffiene took effect. I'm in New Mexico and the server's in a locked shed in Berkeley (key in my pocket!), so we'll be down for a few days until we get home from visiting our new 4-day old grandson!!!!! (whose web site is off-line...)
#Comment Re: made: 2006-09-05 22:12:23.473315+00 by: Dan Lyke
Nothing new in my public_html directories for any user on the system.
Yeah, I'm unhappy having FTP on, but I've got one or two people who aren't SCP capable, and I'm pretty strict about their passwords.
#Comment Re: made: 2006-09-05 22:33:26.021782+00 by: Dan Lyke [edit history]
td: ouch. I've typed "shutdown now" into the wrong window before, but fumbling the kill is a novel one. Makes me glad I use the symbolics rather than the numbers for the kill signal.
It's probably coincidence, it's just that it felt like more sites than usual were having trouble this morning.
#Comment Re: [Entry #9248] Re: made: 2006-09-06 02:11:03.089457+00 by: Unknown, from NNTP
meuon <prefersanonymity_20@flutterby.com> writes:
> I'd completely turn off FTP but I'm using it for some automated batch > uploads...
rsync (over SSH, with key pairs and SSH agent) can be your friend in those types of situations...
john.
#Comment Re: made: 2006-09-06 02:50:57.785684+00 by: meuon
John, if I could have talked the proprietary AS400 software nutjobs into or through anything other then FTP...I would have. As I did that project, I learned it was a very capable machine (running DB2 especially), and that the old timer(s) that live in and support that particular version of that world bring new meaning to the words: obtuse, cranky, arcane and lethargic. It took months, threats, money and almost lawyers for them to dump a few ascii files and FTP them hourly.
#Comment Re: [Entry #9248] Re: made: 2006-09-06 03:31:02.402524+00 by: Unknown, from NNTP
meuon <prefersanonymity_20@flutterby.com> writes:
> John, if I could have talked the proprietary AS400 software nutjobs > into or through anything other then FTP...
Ouch. Been there, done that (with some Solaris nutjobs, anyway), have the mental scars. All too often, Doing The Right Thing loses out to Making The Damn Thing Go...
#Comment Re: made: 2006-09-06 12:02:29.833259+00 by: mkelley
I'm getting a lot.... *a lot* of ebay scam emails today....very realistic looking ones that I had to pour through the source to find the exact link. Linking to true auctions and true bidders, but with bogus "respond now" links...
#Comment Re: made: 2006-09-06 13:24:35.699999+00 by: meuon [edit history]
You want the tar file that'll install the whole mess on YOUR server? I'm guessing it was a 3 day weekend: good time to attack the world and do a scam. We used to see trends like this at COL almost every holiday. NOC/SysAdmins are on vacation... tech support is staffed at a minimum..
I'm thinking that all future installs will have a relatively small mail qeue partition, just so it can fill up (like this one did) and halt.
#Comment Re: made: 2006-09-11 01:25:45.60917+00 by: baylink
Meuon: couldn't you FTP the files to a small Linux box *on the same LAN*, and them move them with something secure to the remote location?
#Comment Re: made: 2006-09-11 13:21:20.298329+00 by: meuon
Laughing at/with Baylink: The (bad) things you do when you are a mercenary geek for hire, in a place where the "IT" dept (2 guys) see you as a threat, and the boss just wants the data to be web accessable by customers for under $XXXX, and the "IT" guys don't have admin rights to the box, the company that developed the software on the AS400 does, and you have to threaten them to get it done. Threaten includes: The company owner screaming into the phone, reminding the development company that they are in that industry because of him.
The final straw was my 'mocking up' a web based version of their AS400 system in PHP and MySQL.. which was not that hard.
So after all of this, we got them to FTP the data hourly... and that was enough. (And yes, the AS400 supports SSH/SCP (as an add-in) but the AS400 guru's didn't understand it..)
If they had a small Linux boxen that I could have used as a proxy, I would have.