Koozali.org: home of the SME Server

SERVER ATTACKED

Chaloner Hale

SERVER ATTACKED
« on: December 30, 2001, 06:06:02 PM »
Well, my server surprised me today with a new user that called himself testkid "Test Kid". Someone broke in and added himself as a user. He never put in a password.

Chaloner Hale

Dan G.

Re: SERVER ATTACKED
« Reply #1 on: December 30, 2001, 06:45:11 PM »
How about some detail?

Do you have Public access enabled?  PPTP?  What open services do you advertise to the 'outside world?'  Is your server physically secure?  Are you on a LAN where an "insider" could have done it?  If you are certain that is was a breakin thru a secure configuration (i.e., there is something fundamentally exploitable in an SME config that no one is yet aware of), you would be wise to notify the SME support team with specifics before posting here.

Justin

Re: SERVER ATTACKED
« Reply #2 on: December 31, 2001, 05:49:27 PM »
What other software have you installed on the server?

Chaloner Hale

Re: SERVER ATTACKED
« Reply #3 on: December 31, 2001, 06:20:28 PM »
This server is for testting/learning. I have Zope, Interchange, the mp3 blade, andromeda, seti@home (just installed), Hylafax (not really working), phpNuke, webcal, and an e-commerce test site.

Chaloner Hale

Justin

Re: SERVER ATTACKED
« Reply #4 on: December 31, 2001, 06:46:08 PM »
Do you have nuke patched?

It is a wide open security problem right now - nothing to do with e-smith.

That would be the first place I would look - I have seen 6-8 attacks on my server already in the past few weeks specifically attacking nuke.

Justin.

Zaphod

Re: SERVER ATTACKED
« Reply #5 on: January 02, 2002, 04:46:55 AM »
phpnuke is well known in the security world as the equivilent of hanging a sign on your server that says "Hey!  Come get me!"  :)

Seriously, there have been a *lot* of advisories on bugtraq and some of the other security mailing lists over the past year.  I wouldn't be surprised at all if this is how someone got in.  I believe Mitel even posted a warning on the front e-smith.org page about PHPnuke...

Rich Lafferty

Re: SERVER ATTACKED
« Reply #6 on: January 03, 2002, 01:29:14 AM »
Chaloner,

Apologies for the delay in responding to this; we've been closed over the Christmas holiday, and have thus been less attentive to the boards. I'll be sending you email with steps to take to help us analyze the break-in.

We do prefer that security problems be reported first to security@e-smith.com; in this case, that would have ensured immediate attention, and it also ensures that one is not inadvertently releasing information that invites others to break into other SME Servers (or, for that matter, into your own!).

Thanks,

Rich Lafferty
Network Server Solutions Group
Mitel Networks

Chaloner Hale

Re: SERVER ATTACKED
« Reply #7 on: January 03, 2002, 02:23:35 AM »
Sorry, but my server was rebooted shortly after. Usually I never turn it off as it runs SO WELL... Thanks anyway. There is nothing I am worried about losing on it anyway. If the problem happens again, I will follow your instructions.


Thanks,

Chaloner Hale

Garret

Re: SERVER ATTACKED
« Reply #8 on: January 05, 2002, 02:53:19 AM »
http://myphpnuke.com . . . a secure alternative to php-nuke