Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Chaloner Hale on December 30, 2001, 06:06:02 PM

Title: SERVER ATTACKED
Post by: Chaloner Hale on December 30, 2001, 06:06:02 PM

Well, my server surprised me today with a new user that called himself testkid "Test Kid". Someone broke in and added himself as a user. He never put in a password.

Chaloner Hale

Title: Re: SERVER ATTACKED
Post by: Dan G. on December 30, 2001, 06:45:11 PM

How about some detail?

Do you have Public access enabled?  PPTP?  What open services do you advertise to the 'outside world?'  Is your server physically secure?  Are you on a LAN where an "insider" could have done it?  If you are certain that is was a breakin thru a secure configuration (i.e., there is something fundamentally exploitable in an SME config that no one is yet aware of), you would be wise to notify the SME support team with specifics before posting here.

Title: Re: SERVER ATTACKED
Post by: Justin on December 31, 2001, 05:49:27 PM

What other software have you installed on the server?

Title: Re: SERVER ATTACKED
Post by: Chaloner Hale on December 31, 2001, 06:20:28 PM

This server is for testting/learning. I have Zope, Interchange, the mp3 blade, andromeda, seti@home (just installed), Hylafax (not really working), phpNuke, webcal, and an e-commerce test site.

Chaloner Hale

Title: Re: SERVER ATTACKED
Post by: Justin on December 31, 2001, 06:46:08 PM

Do you have nuke patched?

It is a wide open security problem right now - nothing to do with e-smith.

That would be the first place I would look - I have seen 6-8 attacks on my server already in the past few weeks specifically attacking nuke.

Justin.

Title: Re: SERVER ATTACKED
Post by: Zaphod on January 02, 2002, 04:46:55 AM

phpnuke is well known in the security world as the equivilent of hanging a sign on your server that says "Hey!  Come get me!"  :)

Seriously, there have been a *lot* of advisories on bugtraq and some of the other security mailing lists over the past year.  I wouldn't be surprised at all if this is how someone got in.  I believe Mitel even posted a warning on the front e-smith.org page about PHPnuke...

Title: Re: SERVER ATTACKED
Post by: Rich Lafferty on January 03, 2002, 01:29:14 AM

Chaloner,

Apologies for the delay in responding to this; we've been closed over the Christmas holiday, and have thus been less attentive to the boards. I'll be sending you email with steps to take to help us analyze the break-in.

We do prefer that security problems be reported first to security@e-smith.com; in this case, that would have ensured immediate attention, and it also ensures that one is not inadvertently releasing information that invites others to break into other SME Servers (or, for that matter, into your own!).

Thanks,

Rich Lafferty
Network Server Solutions Group
Mitel Networks

Title: Re: SERVER ATTACKED
Post by: Chaloner Hale on January 03, 2002, 02:23:35 AM

Sorry, but my server was rebooted shortly after. Usually I never turn it off as it runs SO WELL... Thanks anyway. There is nothing I am worried about losing on it anyway. If the problem happens again, I will follow your instructions.


Thanks,

Chaloner Hale

Title: Re: SERVER ATTACKED
Post by: Garret on January 05, 2002, 02:53:19 AM

http://myphpnuke.com . . . a secure alternative to php-nuke