[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [atlarge-discuss] Hack Report

To: "'Bret Fausett'" <fausett@lextext.com>, "'At Large Discuss'" <atlarge-discuss@lists.fitug.de>
Subject: RE: [atlarge-discuss] Hack Report
From: "Abel Wisman" <abel@able-towers.com>
Date: Sun, 3 Nov 2002 21:47:59 -0000
Delivered-to: mailing list atlarge-discuss@lists.fitug.de
Importance: Normal
In-reply-to: <B9EAABF3.14C16%fausett@lextext.com>
List-help: <mailto:atlarge-discuss-help@lists.fitug.de>
List-post: <mailto:atlarge-discuss@lists.fitug.de>
List-subscribe: <mailto:atlarge-discuss-subscribe@lists.fitug.de>
List-unsubscribe: <mailto:atlarge-discuss-unsubscribe@lists.fitug.de>
Mailing-list: contact atlarge-discuss-help@lists.fitug.de; run by ezmlm
Organization: Able Towers
Reply-to: <abel@able-towers.com>

To do a fornesics on remote almost non-existing knowledge of the server
this was running on is impossible.
If it is interesting at all, decent forensics on hacked machines are
done locally.

Undoubtedly it was a php exploit that was used, since the forum used
php.

It still means the entire server is compromised, only decent thing to do
with that is replace disk, and start from scratch, been there, done
that, got the diploma.

Please, with all die respect NEVER state that "only a part" of the site
was hacked, whoever did it rooted the machine: -eof-


Most ideally you would have clean back-ups of all content.

Sorry, but this is experience and realism

Abel


-----Original Message-----
From: Bret Fausett [mailto:fausett@lextext.com] 
Sent: 03 November 2002 18:33
To: At Large Discuss
Subject: [atlarge-discuss] Hack Report


Early this morning, Sunday 3 November 2002, the discussion forum of the
icannatlarge web site was apparently hacked. Most of our discussions
have moved onto mailing lists, so I have taken the forum off-line until
the issue can be resolved. I've temporarily put up a replacement page
asking conversations to move to <atlarge-discuss@lists.fitug.de>.

     http://icannatlarge.com/forum/

To the best of my knowledge, the culprits did not hack the main site or
any of the static pages. What was compromised was the online web-based
discussion forum, so I assume a security vulnerability in that
particular software was exploited.

I apologize if any ongoing conversations on the web-based forum were
interrupted by this outage. Please move them to this discussion list
until the forum is again up and running.

    -- Bret Fausett 


---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de



---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de

Follow-Ups:
- Re: [atlarge-discuss] Hack Report
  - From: Sotiris Sotiropoulos <sotiris@hermesnetwork.com>

References:
- [atlarge-discuss] Hack Report
  - From: Bret Fausett <fausett@lextext.com>

Prev by Date: [atlarge-discuss] Supporting an At Large Alliance outside ICANN
Next by Date: Re: [atlarge-discuss] Hack Report
Previous by thread: [atlarge-discuss] Hack Report
Next by thread: Re: [atlarge-discuss] Hack Report
Index(es):
- Date
- Thread