April 30, 11:45 PM

Thanks to a yet-unknown hacker(s), hours of work had to go to restoring an EDUCATIONAL site after a group of (possibly) Romanians took down two of our Linux servers and put IRC chat rooms on them.

Oh joy.

And I knew the people that had to come in on a Saturday to restore the server. I'm sure they enjoyed that.

Originally posted by rice_web
April 30, 11:45 PM

Thanks to a yet-unknown hacker(s), hours of work had to go to restoring an EDUCATIONAL site after a group of (possibly) Romanians took down two of our Linux servers and put IRC chat rooms on them.

Oh joy.

And I knew the people that had to come in on a Saturday to restore the server. I'm sure they enjoyed that.

How could you possibly connect it to Romanians?

Log files. Though that's nothing conclusive, as anyone can use a fake IP.

which site was hacked? the one on your homepage button?

No, no, not my personal website: an education site for a school district.

I'd give you the domain, but we're still afraid about attacks right now (we had a corporation--SchoolCenter.com--hack us a couple of weeks ago and now this).

But honestly, who hacks a school's website? And only for an IRC server!?

Originally posted by rice_web
No, no, not my personal website: an education site for a school district.

I'd give you the domain, but we're still afraid about attacks right now (we had a corporation--SchoolCenter.com--hack us a couple of weeks ago and now this).

But honestly, who hacks a school's website? And only for an IRC server!?

wait so if you post the link... someone from this site will hack you?
:confused:

Originally posted by MrMacman
wait so if you post the link... someone from this site will hack you?
:confused:

Well I should hope not :p

You would be surprised at how many people are hacked and do not know it. The latest fun they do is to set up an ftp server running on some unused high tcp port that is not scanned in a normal nmap scan (by default, nmap does not scan every port, only well-known ports). Then then install an irc bot that goes goes to a specific irc server (or group of servers) to a specific chat room and tells everyone the user level username and password for the ftp server, along with the hostname and port. What did you find? Movies? MP3s?

On a Mac or Unix box, you can use
lsof -i to get a list of all applications that are listening to or talking to the network (actually, for your user account - for all you really want to "sudo lsof -i" and type in your admin account password when asked, which will execute the command as root and show all apps)

On windows, I recommend a command line tool called fport from www.foundstone.com. Just do a google search for fport and it is the first hit. I bet, if you only found the irc bots, there still might be other apps. They will be disguised as common windows OS files.

The only way I have seen Macs get hacked is by weak passwords. With Microsoft, alot of the problem is that their SQL server's software patches do not show up on windowsupdate. Our network is constantly be scanned on 1433,1444 (MSSQL), 139,445 (windows file sharing), and port 80 (web).

For fun on a mac in a terminal window, type:

cat /var/log/httpd/access_log

this will show you the apache log file, if you are running the mac web server, and see all the attempts to break windows security vulnerabilities.

Originally posted by rice_web
April 30, 11:45 PM

Thanks to a yet-unknown hacker(s), hours of work had to go to restoring an EDUCATIONAL site after a group of (possibly) Romanians took down two of our Linux servers and put IRC chat rooms on them.

Oh joy.

And I knew the people that had to come in on a Saturday to restore the server. I'm sure they enjoyed that.

that sux0rs